When and How Are iptables Packet/Byte Counters Reset? A Linux Networking Deep Dive


3 views

In Linux networking, iptables maintains counters for packets and bytes processed by each rule. These counters are stored in kernel memory and persist until one of these events occurs:

# Sample output showing counters
Chain INPUT (policy ACCEPT 1234 packets, 567890 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10  1200 ACCEPT     tcp  --  eth0   any     192.168.1.0/24       anywhere            tcp dpt:22

The primary situations when counters get cleared:

  • System reboot: All counters are volatile and reset to zero
  • Manual flush: Using iptables -Z or iptables --zero
  • Rule modification: When rules are deleted/replaced

To maintain counters across reboots, consider these approaches:

# Save current counters before shutdown
iptables-save -c > /etc/iptables.rules

# Restore with counters (at boot)
iptables-restore -c < /etc/iptables.rules

Here's a script to log counter changes without resetting:

#!/bin/bash
# Capture current counters
iptables -L -v -n | awk '/Chain/ {print $1,$2,$3,$4} /^[ ]+[0-9]/ {print $1,$2}' > /tmp/iptables_counters.log

# Compare with previous run
if [ -f /tmp/iptables_counters.prev ]; then
    diff -u /tmp/iptables_counters.prev /tmp/iptables_counters.log
fi

# Rotate files
mv /tmp/iptables_counters.log /tmp/iptables_counters.prev

Counters are maintained by the xt_counters kernel module. The actual storage is in the kernel's memory space and follows these rules:

  • Per-CPU counters for performance
  • 32-bit or 64-bit counters depending on kernel version
  • No automatic rotation mechanism exists

The byte/packet counters in iptables are volatile by default and get cleared under these circumstances:

1. System reboot (most common scenario)
2. Manual reset via iptables -Z command
3. Service restart (iptables/network services)
4. Kernel module reload

To maintain counters persistently, you'll need to save and restore them:

# Save current rules with counters
iptables-save -c > /etc/iptables.rules

# Restore after reboot (add to startup scripts)
iptables-restore -c < /etc/iptables.rules

Here's how to create a script that maintains traffic statistics:

#!/bin/bash
# Save counters to temp file
iptables-save -c > /tmp/iptables.tmp

# Service restart example
systemctl restart iptables

# Restore counters
iptables-restore -c < /tmp/iptables.tmp

# Optional: Archive monthly stats
TIMESTAMP=$(date +%Y-%m)
cp /tmp/iptables.tmp /var/log/iptables/stats_$TIMESTAMP

For long-term monitoring, consider these approaches:

# Using iptables-rotate (third-party tool)
iptables-rotate -d /var/lib/iptables -n 30

# Custom rotation with logrotate
/var/log/iptables.rules {
    weekly
    rotate 4
    postrotate
        iptables-save -c > /var/log/iptables.rules
    endscript
}

When counters behave unexpectedly, check:

# Verify counter storage
ls -lh /etc/iptables.rules

# Check if restore happens at boot
grep iptables-restore /etc/rc.local

# Test manual save/restore
iptables -L -v -n  # Before
iptables-restore -c < backup.file
iptables -L -v -n  # After