Posted: Wed Jul 08, 2009 1:17 pm Post subject: where do packets arrive first? libpcap or Firewall?
Hi all,
In a linux system running net filter, with some general accept/deny iptable rules. Where do packets arrive first? Is it at the libpcap packet sniffing interface or the netfilter framework?
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
Posted: Tue Sep 21, 2010 3:08 pm Post subject:
Actually libpcap will see the packet before it is handled by netfilter. So if your iptables denies ICMP and you try to ping the host, tcpdump will show the ICMP echo requests but the firewall will dump the traffic.
Now, I can't remember offhand, but I think the prerouting chain might be different. So if you do some NATing, prerouting might muck with the packet before libpcap sees it. Not positive so test it out on your own if that's important for your results.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum