Package: iptables Version: 1.8.2-4 Severity: normal Dear Maintainer,
when setting the default policy of a chain in the filter table to DROP and testing with traffic that is not handled by another rule in the chain and so it should be handled by the default policy the packet and byte counters stay zero. Example rule setup: Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 9207 15M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 2 2 120 ACCEPT tcp -- ens40 * 172.16.61.0/24 172.16.61.128 tcp spts:1024:65535 dpt:22 state NEW Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 563 89057 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 2 0 0 ACCEPT tcp -- ens38 ens33 172.16.254.0/24 0.0.0.0/0 tcp spts:1024:65535 multiport dports 80,443 state NEW Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 5136 592K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED Now when sending an ICMP ping from a system behind the firewall to an IP the firewall has (e. g. 172.15.61.128) which is no allowed by this rule setup the pings get blocked but the counters in the iptables -nvL --line-numbers output stay zero. I also verified the same behaviour on a second freshly installed Debian 10 system. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc6 2.28-10 ii libip4tc0 1.8.2-4 ii libip6tc0 1.8.2-4 ii libiptc0 1.8.2-4 ii libmnl0 1.0.4-2 ii libnetfilter-conntrack3 1.0.7-1 ii libnfnetlink0 1.0.1-3+b1 ii libnftnl11 1.1.2-2 ii libxtables12 1.8.2-4 Versions of packages iptables recommends: pn nftables <none> Versions of packages iptables suggests: ii kmod 26-1 -- no debconf information -- Dipl.-Ing. Markus Zeilinger Studiengänge Sichere Informationssysteme Fakultät für Informatik, Kommunikation und Medien FH Oberösterreich FH-Gebäude 1, Raum A 005 Softwarepark 11 4232 Hagenberg Tel.: +43 (0) 5 0804 22524 Mobil: +43 (0) 664 8048422524 Fax: +43 (0) 5 0804 22599 E-Mail: markus.zeilin...@fh-hagenberg.at Web: www.fh-ooe.at Firmenbuchgericht/Court of registry: Landesgericht Wels Firmenbuchnummer/Company registration: FN 236729 g
smime.p7s
Description: S/MIME cryptographic signature