iptables 1.8.2 (debian10) does not show packet count in default policy
There is a bug report for this issue affecting Iptables 1.8.2 @ Debian 10.6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961117
My workaround for this is:
It does not make any difference if you load iptables rules during boot or later as root after the system is loaded (the policy counters always remain zero). However, if prior to loading rules, you reset iptables using bellow commands:
iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
then your policy counters start woking;
Right now I've added these rules at the begining of my iptables rules file and all is woking as it should.
Packet counters in the chain policy are only updated when you actually have packets to which the policy applies. Or in other words, when there are packets that enter a chain and which are not (dis-) allowed by any of the rules in a chain.
When all packets are matched by the rules in a chain (or there are no rules at all) the policy counters will remain on zero.
Arguably a good firewall configuration is one where the actual rule set determines the fate of the traffic and you never need to fallback to the chain policy to (dis-) allow traffic.
So in that regard it is bad firewall design that you have systems where the counters are NOT zero....
iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1012 7864 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 968 bytes)
pkts bytes target prot opt in out source destination
In this case all traffic is matched by an explicit rule and default ACCEPT policy on the INPUT chain is never needed. The ACCEPT policy counters remain on zero
iptables -nvL
Chain INPUT (policy DROP 1996 packets, 87824 bytes)
pkts bytes target prot opt in out source destination
1386 101K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31 packets, 4332 bytes)
pkts bytes target prot opt in out source destination
In this example the rules only open up the SSH and HTTP ports and rely on the INPUT chains policy to DROP all other traffic. The DROP policy counters will increase with every bit of traffic that is not allowed by the rules on ports 22 and 80 that allow SSH and HTTP.
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1876 144K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
115 9804 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
The same effective firewall as in the previous example, allowing traffic on ports 22 and 80 but with an explicit rule rejecting all other traffic, rather than relying on the default DROP policy. The DROP policy counters will remain on zero.
I understand what you wrote!
This is a web server listening on ssh on port 1891 and web on ports 80 and 443
If I run these rules below as a test, I have ssh access, but I don't have web access, and the counters don't work!
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
94 6188 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1891
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
That is ... the logic works, but does not count in the default policy drop
The same rules in debian9 count normally, I'm guessing it's a bug regarding the standard debian10 nftables firewall, what do you think?