iptables filter s not anything

Ygrex · 02-27-2008, 09:54 AM

Quote:

$tcpdump net 74.54.182.247 -v -n

[...]

3 packets captured
3 packets received by filter
0 packets dropped by kernel

i.e. iptables allowed 3 packets to be proceeded
in order to block them I add at a begin of my firewall table following lines:

Code:

iptables -A INPUT -s 74.54.182.0/24 -j DROP
iptables -A INPUT -d 74.54.182.0/24 -j DROP

I suppose it should block anything from 74.54.182.247
meanwhile tcpdump captures:

Quote:

# tcpdump net 74.54.182.247 -v -n
tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
18:25:57.377811 IP (tos 0x0, ttl 53, id 56439, offset 0, flags [DF], proto: TCP (6), length: 60) 74.54.182.247.23889 > 192.168.21.102.80: S, cksum 0x8fce (correct), 3172836414:3172836414(0) win 32120 <mss 1460,sackOK,timestamp 13988017 855638016,nop,wscale 0>

1 packets captured
1 packets received by filter
0 packets dropped by kernel

and also a counter of packets filtered by my first iptables rule is continuously increasing:

Quote:

# iptables -L -v -n
Chain INPUT (policy DROP 405K packets, 34M bytes)
pkts bytes target prot opt in out source destination
42360 2542K DROP tcp -- * * 74.54.182.0/24 192.168.21.102 tcp dpt:80
0 0 DROP 0 -- * * 74.54.182.0/24 0.0.0.0/0

how to block anything from this IP?

anomie · 02-27-2008, 01:31 PM

Quote:

Originally Posted by Ygrex

i.e. iptables allowed 3 packets to be proceeded

I don't agree with that conclusion at all. Read the manpages for tcpdump(1).

Code:

When tcpdump finishes capturing packets, it will report counts of:

              packets ``captured'' (this is the number of packets that tcpdump
              has received and processed);

              packets ``received by filter'' (the meaning of this  depends  on
              the  OS on which you're running tcpdump, and possibly on the way
              the OS was configured - if a filter was specified on the command
              line,  on some OSes it counts packets regardless of whether they
              were matched by the filter expression and,  even  if  they  were
              matched  by the filter expression, regardless of whether tcpdump
              has read and processed them yet, on other OSes  it  counts  only
              packets that were matched by the filter expression regardless of
              whether tcpdump has read and processed them yet,  and  on  other
              OSes  it  counts  only  packets  that were matched by the filter
              expression and were processed by tcpdump);

              packets ``dropped by kernel'' (this is  the  number  of  packets
              that  were dropped, due to a lack of buffer space, by the packet
              capture mechanism in the OS on which tcpdump is running, if  the
              OS  reports that information to applications; if not, it will be
              reported as 0).

To test packet filtering rules, use nmap / netcat / hping or other security tools that will allow you to send packets appropriate for your testing.