When and How Are iptables Packet/Byte Counters Reset? A Linux Networking Deep Dive


10 views

In Linux networking, iptables maintains counters for packets and bytes processed by each rule. These counters are stored in kernel memory and persist until one of these events occurs:

# Sample output showing counters
Chain INPUT (policy ACCEPT 1234 packets, 567890 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10  1200 ACCEPT     tcp  --  eth0   any     192.168.1.0/24       anywhere            tcp dpt:22

The primary situations when counters get cleared:

  • System reboot: All counters are volatile and reset to zero
  • Manual flush: Using iptables -Z or iptables --zero
  • Rule modification: When rules are deleted/replaced

To maintain counters across reboots, consider these approaches:

# Save current counters before shutdown
iptables-save -c > /etc/iptables.rules

# Restore with counters (at boot)
iptables-restore -c < /etc/iptables.rules

Here's a script to log counter changes without resetting:

#!/bin/bash
# Capture current counters
iptables -L -v -n | awk '/Chain/ {print $1,$2,$3,$4} /^[ ]+[0-9]/ {print $1,$2}' > /tmp/iptables_counters.log

# Compare with previous run
if [ -f /tmp/iptables_counters.prev ]; then
    diff -u /tmp/iptables_counters.prev /tmp/iptables_counters.log
fi

# Rotate files
mv /tmp/iptables_counters.log /tmp/iptables_counters.prev

Counters are maintained by the xt_counters kernel module. The actual storage is in the kernel's memory space and follows these rules:

  • Per-CPU counters for performance
  • 32-bit or 64-bit counters depending on kernel version
  • No automatic rotation mechanism exists

The byte/packet counters in iptables are volatile by default and get cleared under these circumstances:

1. System reboot (most common scenario)
2. Manual reset via iptables -Z command
3. Service restart (iptables/network services)
4. Kernel module reload

To maintain counters persistently, you'll need to save and restore them:

# Save current rules with counters
iptables-save -c > /etc/iptables.rules

# Restore after reboot (add to startup scripts)
iptables-restore -c < /etc/iptables.rules

Here's how to create a script that maintains traffic statistics:

#!/bin/bash
# Save counters to temp file
iptables-save -c > /tmp/iptables.tmp

# Service restart example
systemctl restart iptables

# Restore counters
iptables-restore -c < /tmp/iptables.tmp

# Optional: Archive monthly stats
TIMESTAMP=$(date +%Y-%m)
cp /tmp/iptables.tmp /var/log/iptables/stats_$TIMESTAMP

For long-term monitoring, consider these approaches:

# Using iptables-rotate (third-party tool)
iptables-rotate -d /var/lib/iptables -n 30

# Custom rotation with logrotate
/var/log/iptables.rules {
    weekly
    rotate 4
    postrotate
        iptables-save -c > /var/log/iptables.rules
    endscript
}

When counters behave unexpectedly, check:

# Verify counter storage
ls -lh /etc/iptables.rules

# Check if restore happens at boot
grep iptables-restore /etc/rc.local

# Test manual save/restore
iptables -L -v -n  # Before
iptables-restore -c < backup.file
iptables -L -v -n  # After