Understanding the [0:0] Packet Count Syntax in iptables DNAT Rules


1 views

When examining the rule [0:0] -A PREROUTING -s 10.1.0.0/24 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.1.0.6:3128, the [0:0] prefix represents packet and byte counters that iptables maintains for each rule.

The format is [packets:bytes] where:

  • packets: Number of packets matched by this rule
  • bytes: Total bytes of all matched packets

In our example, [0:0] indicates this is a newly added rule with zero matches so far.

Here's a complete rule set demonstrating port forwarding:

*nat
# Initialize counters
[0:0] -A PREROUTING -s 10.1.0.0/24 -p tcp --dport 81 -j DNAT --to-destination 10.1.0.6:3128
[0:0] -A POSTROUTING -j MASQUERADE
COMMIT

*filter
[0:0] -A FORWARD -d 10.1.0.6/32 -p tcp --dport 3128 -j ACCEPT
COMMIT

After some traffic flows, check counters with:

iptables -t nat -L -v -n

Sample output showing active counters:

Chain PREROUTING (policy ACCEPT 1423 packets, 98432 bytes)
 pkts bytes target     prot opt in     out     source               destination
  423 28932 DNAT       tcp  --  *      *       10.1.0.0/24          0.0.0.0/0            tcp dpt:81 to:10.1.0.6:3128

To reset counters for specific rules:

iptables -t nat -Z PREROUTING 1

Or for all rules in a chain:

iptables -t nat -Z PREROUTING
  • iptables man page: man iptables
  • Netfilter documentation: https://netfilter.org/documentation/
  • Linux Advanced Routing & Traffic Control: http://lartc.org/

When examining iptables rules, you might encounter entries prefixed with [0:0]. This notation represents packet and byte counters in the format [packets:bytes]. In your case:

[0:0] -A PREROUTING -s 10.1.0.0/24 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.1.0.6:3128

The [0:0] indicates this rule has processed 0 packets and 0 bytes since the last counter reset or rule creation.

Let's analyze the complete rule structure:

-A PREROUTING          # Append to PREROUTING chain
-s 10.1.0.0/24         # Source IP range
-p tcp                 # Protocol TCP
-m tcp                 # TCP module
--dport 81             # Destination port 81
-j DNAT                # Jump to DNAT target
--to-destination 10.1.0.6:3128  # Redirect to internal IP:port

Here are some common variations of DNAT rules with counters:

# Basic HTTP redirection with counters
[152:12045] -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080

# Port range forwarding
[0:0] -A PREROUTING -p tcp --dport 3000:4000 -j DNAT --to-destination 10.0.0.5

To reset counters for all rules:

iptables -Z

To view rules with counters:

iptables -L -v

Here's how to create a custom chain with counters:

# Create custom chain
iptables -N MY_CHAIN

# Add rule with counters
[0:0] -A MY_CHAIN -s 192.168.1.100 -j ACCEPT

# Reference from main chain
iptables -A PREROUTING -j MY_CHAIN
  • iptables man page: man iptables
  • Official Netfilter documentation: https://netfilter.org/documentation/
  • Practical iptables tutorials: https://linuxconfig.org/iptables-tutorial