[pkg-netfilter-team] Bug#961117: iptables: Packet and byte counters in default policy stay zero

Zeilinger Markus Markus.Zeilinger at fh-hagenberg.at
Wed May 20 11:23:28 BST 2020 

Package: iptables
Version: 1.8.2-4
Severity: normal

Dear Maintainer,

when setting the default policy of a chain in the filter table to DROP
and testing with traffic that is not handled by another rule in the
chain and so it should be handled by the default policy the packet and
byte counters stay zero.

Example rule setup:

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt
in     out     source               destination         
1     9207   15M ACCEPT     all  
--  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
2        2   120 ACCEPT     tcp  
--  ens40  *       172.16.61.0/24       172.16.61.128        tcp
spts:1024:65535 dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt
in     out     source               destination         
1      563 89057 ACCEPT     all  
--  *      *       0.0.0.0/0            0.0.0.0/0            state
ESTABLISHED
2        0     0 ACCEPT     tcp  
--  ens38  ens33   172.16.254.0/24      0.0.0.0/0            tcp
spts:1024:65535 multiport dports 80,443 state NEW

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt
in     out     source               destination         
1     5136  592K ACCEPT     all  
--  *      *       0.0.0.0/0            0.0.0.0/0            state
ESTABLISHED

Now when sending an ICMP ping from a system behind the firewall to an
IP
the firewall has (e. g. 172.15.61.128) which is no allowed by this rule
setup the pings get blocked but the counters in the iptables -nvL
--line-numbers output stay zero.

I also verified the same behaviour on a second freshly installed Debian
10 system.

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8
(charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc0                1.8.2-4
ii  libip6tc0                1.8.2-4
ii  libiptc0                 1.8.2-4
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.2-2
ii  libxtables12             1.8.2-4

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information
-- 

Dipl.-Ing. Markus Zeilinger
Studiengänge Sichere Informationssysteme
Fakultät für Informatik, Kommunikation und Medien

FH Oberösterreich
FH-Gebäude 1, Raum A 005
Softwarepark 11
4232 Hagenberg
Tel.: +43 (0) 5 0804 22524
Mobil: +43 (0) 664 8048422524
Fax: +43 (0) 5 0804 22599
E-Mail: markus.zeilinger at fh-hagenberg.at
Web: www.fh-ooe.at

Firmenbuchgericht/Court of registry: Landesgericht Wels
Firmenbuchnummer/Company registration: FN 236729 g
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4915 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20200520/4928d080/attachment.bin>

More information about the pkg-netfilter-team mailing list