Will tcpdump see packets that are being dropped by iptables?

Question

I have a firewall with these simple rules:

iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT

Now, suppose I am using TCPDUMP like this:

tcpdump port 6000

And I have host 192.168.16.21 trying to connect to port 6000.

Will/should tcpdump output some packets coming from 192.168.16.21?

score 43 · Accepted Answer · answered Feb 09 '11 at 14:54

43

tcpdump uses libpcap and libpcap processes packets before they get processed by the firewall, so the answer is "yes".

answered Feb 09 '11 at 14:54

Alex

7,979

37

This is only partially true. tcpdump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it. See https://superuser.com/q/925286/18898 – chb May 19 '17 at 10:05
4

so is there away to drop incoming packets from a specific IP so that even tcpdump won't even see them? – 23r23f23q Feb 15 '22 at 22:25
@23r23f23q The XDP API happens before the AF_PACKET API. Probable requires eBPF. See this schematic: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg – A.B Mar 23 '24 at 18:57

Will tcpdump see packets that are being dropped by iptables?

1 Answers1

Linked

Related