| 1 |
On 02/25/2010 02:11 PM, Kan-I Jyo wrote: |
| 2 |
> Dear list, |
| 3 |
> |
| 4 |
> This might be too fundamental to answer, but I would like to know |
| 5 |
> when will the 'dropped' value in the output of /sbin/ifconfig be counted up. |
| 6 |
> |
| 7 |
> I have tried setting up a firewall using iptables with a very simple rule like |
| 8 |
> the following: |
| 9 |
> |
| 10 |
> <samle> |
| 11 |
> # iptables -A INPUT -p tcp --dport 80 -j DROP |
| 12 |
> |
| 13 |
> When trying to connect from the other host through tcp port 80, there |
| 14 |
> was no response, which is expected. |
| 15 |
> |
| 16 |
> However, the 'dropped' value was note added up even the packet is dropped. |
| 17 |
|
| 18 |
Well, you're talking about two different things: |
| 19 |
the dropped value in ifconfig output is related to Ethernet packet which |
| 20 |
would be dropped by hardware. |
| 21 |
The target DROP of iptables tells to the kernel to drop the packet at |
| 22 |
software level. |
| 23 |
|
| 24 |
If you want to see the dropped packet statistics on software level (ie |
| 25 |
iptables), run iptables -v -L . |
| 26 |
|
| 27 |
> Any comment would be greatly appreciated. |
| 28 |
|
| 29 |
-- |
| 30 |
Xavier Parizet |
| 31 |
YaGB : http://gentooist.com |
| 32 |
GPG : C7DC B10E FC21 63BE |
| 33 |
B453 D239 F6E6 DF65 1569 91BF |
Archives