Viewed   15 times

Can't figure out why iptables rules are dropped.

sudo iptables -A INPUT -s -j DROP

Any suggestions are welcome.



sudo iptables -A INPUT -s -j DROP

If you just run the above command, it just loads that rule into the kernel, not really changing the iptables file. This would be lost on a reboot or a restart of iptables.

service iptables save

would save the rules to /etc/sysconfig/iptables and the change would survive a reboot.

Tuesday, February 21, 2023

This question should be on Server Fault. Nevertheless, the following should do the trick, assuming you're talking about TCP and the IP you want to allow is

iptables -A INPUT -p tcp --dport 8000 -s -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Wednesday, November 30, 2022

iptables is a default module in AOSP, you can use netfilter to write c code to handle that.

For example, you can create an android project, and write a JNI file, use ndk-build to compile that, and then adb push the executable to the android file system to execute. And in the mobile end, you can adb shell to it, directly use iptables command as a root user, just like in linux do.


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/types.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/netfilter.h>        /* for NF_ACCEPT */
#include <errno.h>

#include <libnetfilter_queue/libnetfilter_queue.h>

#define IPQUAD(addr) 
    ((unsigned char *)&addr)[0], 
    ((unsigned char *)&addr)[1], 
    ((unsigned char *)&addr)[2], 
    ((unsigned char *)&addr)[3]
#define IPQUAD(addr) 
    ((unsigned char *)&addr)[3], 
    ((unsigned char *)&addr)[2], 
    ((unsigned char *)&addr)[1], 
    ((unsigned char *)&addr)[0]

#define TO ""
#define NAT_TO ""

struct tcp_pseudo /*the tcp pseudo header*/
    __u32 src_addr;
    __u32 dst_addr;
    __u8 zero;
    __u8 proto;
    __u16 length;
} pseudohead;

long checksum(unsigned short *addr, unsigned int count) {
    /* Compute Internet Checksum for "count" bytes
   * beginning at location "addr".
    register long sum = 0;

    while( count > 1 ) {
        /* This is the inner loop */
        sum += * addr++;
        count -= 2;
    /* Add left-over byte, if any */
    if( count > 0 )
        sum += * (unsigned char *) addr;

    /* Fold 32-bit sum to 16 bits */
    while (sum>>16)
        sum = (sum & 0xffff) + (sum >> 16);

    return ~sum;

/*************************tcp checksum**********************/
long get_tcp_checksum(struct iphdr * myip, struct tcphdr * mytcp) {

    __u16 total_len = ntohs(myip->tot_len);

    int tcpopt_len = mytcp->doff*4 - 20;
    int tcpdatalen = total_len - (mytcp->doff*4) - (myip->ihl*4);

    pseudohead.length=htons(sizeof(struct tcphdr) + tcpopt_len + tcpdatalen);

    int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr) + tcpopt_len +tcpdatalen;
    //unsigned short * tcp = new unsigned short[totaltcp_len];

    unsigned short * tcp = malloc(totaltcp_len);

    memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char*)mytcp,sizeof(struct tcphdr));
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(struct tcphdr),(unsigned char *)myip+(myip->ihl*4)+(sizeof(struct tcphdr)), tcpopt_len);
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(struct tcphdr)+tcpopt_len, (unsigned char *)mytcp+(mytcp->doff*4), tcpdatalen);

    /* printf("pseud length: %dn",pseudohead.length);
          printf("tcp hdr length: %dn",mytcp->doff*4);
          printf("tcp hdr struct length: %dn",sizeof(struct tcphdr));
          printf("tcp opt length: %dn",tcpopt_len);
          printf("tcp total+psuedo length: %dn",totaltcp_len);


          printf("tcp data len: %d, data start %un", tcpdatalen,mytcp + (mytcp->doff*4));

    return checksum(tcp,totaltcp_len);


static u_int16_t tcp_checksum(struct iphdr* iphdrp){
    struct tcphdr *tcphdrp =
            (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
            return get_tcp_checksum(iphdrp, tcphdrp);

static void set_tcp_checksum(struct iphdr* iphdrp){
    struct tcphdr *tcphdrp =
            (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
            tcphdrp->check = 0;
            tcphdrp->check = get_tcp_checksum(iphdrp, tcphdrp);
/****************************tcp checksum end****************************/

/********************************Ip checksum*****************************/
static u_int16_t ip_checksum(struct iphdr* iphdrp){
    return checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);

static void set_ip_checksum(struct iphdr* iphdrp){
    iphdrp->check = 0;
    iphdrp->check = checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);
/****************************Ip checksum end******************************/

static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
          struct nfq_data *nfa, void *data)
    int id = 0;
    struct nfqnl_msg_packet_hdr *ph;
    int pdata_len;
    unsigned char *payload;

    printf("entering callbackn");
    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {
        id = ntohl(ph->packet_id);

    pdata_len = nfq_get_payload(nfa, &payload);
    if (pdata_len >= 0) {
        struct iphdr *iphdrp = (struct iphdr*)payload;
        iphdrp->daddr = inet_addr(NAT_TO);
        if(iphdrp->protocol == IPPROTO_TCP){
            printf(" ipsum+ %hu tcpsum+ %hu",
                   ip_checksum(iphdrp), tcp_checksum(iphdrp));
        printf("len %d iphdr %d %u.%u.%u.%u ->",
        printf(" %u.%u.%u.%u",
        printf(" ipsum %hu", ip_checksum(iphdrp));
        if(iphdrp->protocol == IPPROTO_TCP){
            printf(" tcpsum %hu", tcp_checksum(iphdrp));

    return nfq_set_verdict(qh, id, NF_ACCEPT, (u_int32_t)pdata_len, payload);

int main(int argc, char **argv)
    struct nfq_handle *h;
    struct nfq_q_handle *qh;
    struct nfnl_handle *nh;
    int fd;
    int rv;
    char buf[4096] __attribute__ ((aligned));

    printf("opening library handlen");
    h = nfq_open();
    if (!h) {
        fprintf(stderr, "error during nfq_open()n");

    printf("unbinding existing nf_queue handler for AF_INET (if any)n");
    if (nfq_unbind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_unbind_pf()n");

    printf("binding nfnetlink_queue as nf_queue handler for AF_INETn");
    if (nfq_bind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_bind_pf()n");

    printf("binding this socket to queue '0'n");
    qh = nfq_create_queue(h,  0, &cb, NULL);
    if (!qh) {
        fprintf(stderr, "error during nfq_create_queue()n");

    printf("setting copy_packet moden");
    if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
        fprintf(stderr, "can't set packet_copy moden");

    fd = nfq_fd(h);

    for (;;) {
        if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
            printf("pkt receivedn");
            nfq_handle_packet(h, buf, rv);
        /* if your application is too slow to digest the packets that
         * are sent from kernel-space, the socket buffer that we use
         * to enqueue packets may fill up returning ENOBUFS. Depending
         * on your application, this error may be ignored. Please, see
         * the doxygen documentation of this library on how to improve
         * this situation.
        if (rv < 0 && errno == ENOBUFS) {
            printf("losing packets!n");
        perror("recv failed");

    printf("unbinding from queue 0n");

#ifdef INSANE
    /* normally, applications SHOULD NOT issue this command, since
     * it detaches other programs/sockets from AF_INET, too ! */
    printf("unbinding from AF_INETn");
    nfq_unbind_pf(h, AF_INET);

    printf("closing library handlen");

Thursday, December 22, 2022

i've not tried to use python-iptables, but it looks like you need something like:

rule = iptc.Rule()
match = rule.create_match('state')
match.state = 'RELATED,ESTABLISHED' = iptc.Target('ACCEPT')

chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT")

and so on.

Monday, December 26, 2022

"out and back" implies you are an NTP client and want to talk to a server i'd imagine by default you can do this; if you haven't set up a firewall to block everything, and have iptables set up at all, you'll have a "allow related/established" rule which means replies to outgoing requests are allowed automatically

in any case, NTP is UDP port 123, so, assuming you are a CLIENT and want to access NTP servers you'd do:

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT

these will append the rules to the end of your OUTPUT and INPUT chains

Assuming you want to be a server, you'd do

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

I have a script which implements all my firewall rules, and I call it from /etc/rc.local which runs on startup on my machine (ubuntu 8.04 LTS)

EDIT: You've clarified that this is because you are a client. In ubuntu's default configuration, you shouldn't have to alter any firewall settings to do this. What firewall configuration have you done? If nothing, I'm inclinced to believe that this isn't a firewall issue.

Thursday, September 29, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :