When debugging network issues, it's crucial to understand the relationship between packet capturing tools and firewall rules. Let's examine the specific scenario where we have:
iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECTAnd we're running:
tcpdump port 6000The key to understanding this behavior lies in the Linux network stack processing order:
- Packets arrive at the network interface
- tcpdump captures packets at the raw packet level (before iptables processing)
- Packets then move through netfilter/iptables chains
Let's test this with concrete examples. First, set up our test environment:
# Clear existing rules
iptables -F
# Add our test rules
iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT --reject-with icmp-port-unreachableNow in one terminal, run:
tcpdump -ni any port 6000 -vvIn another terminal, simulate connection attempts:
# This will be accepted (from allowed IP)
nc -zv 192.168.16.20 6000
# This will be rejected (from unauthorized IP)
nc -zv 192.168.16.21 6000For the rejected connection (192.168.16.21), you'll see:
12:34:56.789012 IP (tos 0x0, ttl 64, id 12345, offset 0, flags [DF], proto TCP (6), length 60)
192.168.16.21.54321 > 192.168.1.100.6000: Flags [S], cksum 0xabcd (correct), seq 123456789, win 64240, options [mss 1460,sackOK,TS val 987654321 ecr 0,nop,wscale 7], length 0You'll also see the REJECT response if your rules specify sending reject packets.
For more detailed analysis, consider these tcpdump variations:
# Capture only SYN packets (new connections)
tcpdump 'tcp[13] & 2 != 0 and port 6000'
# Capture with hex output
tcpdump -XX port 6000
# Capture before any iptables processing
tcpdump -i eth0 -n port 6000When debugging, combine tcpdump with other tools:
# Monitor iptables counters
iptables -L INPUT -v -n --line-numbers
# Check kernel logs for drops
dmesg | grep -i drop
# Combine with conntrack
conntrack -ERemember that tcpdump shows packets at the earliest possible point in the network stack, while iptables processes them later. This fundamental understanding helps troubleshoot complex network issues.
When working with Linux networking, it's crucial to understand how tcpdump and iptables interact in the packet processing pipeline. The key fact is: tcpdump captures packets at a lower network layer than iptables, meaning it will see packets before they reach the firewall rules.
Here's the simplified packet journey:
1. Packet arrives at network interface
2. tcpdump captures the packet (if matching filter)
3. Packet reaches netfilter/iptables
4. Firewall rules are applied
This means even packets that will eventually be dropped by iptables will be visible to tcpdump.
Let's test this with your exact scenario. First, set up the iptables rules:
# Clear existing rules
iptables -F
iptables -X
# Set up specific rules
iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT
Now run tcpdump in another terminal:
tcpdump -i eth0 port 6000 -nnvv
From host 192.168.16.21, attempt to connect:
telnet your_server_ip 6000
In the tcpdump output, you'll see:
- SYN packet from 192.168.16.21
- Server's REJECT response (TCP RST)
This proves tcpdump does see the initial connection attempt before iptables blocks it.
For debugging complex firewall issues, you can combine both tools:
# Log all dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
# Then monitor with:
tcpdump -i eth0 port 6000 -w capture.pcap
- tcpdump operates at the network interface level, capturing all matching packets
- iptables processes packets after they've been seen by tcpdump
- For complete network analysis, use both tools together:
- tcpdump shows what's arriving at the interface
- iptables logs show what's being allowed/dropped
Remember this distinction when troubleshooting network connectivity issues.