Author: ninja123, Posted: Wed Jul 08, 2009 1:17 pm Post subject: where do packets arrive first? libpcap or Firewall? ---- Hi all,
In a linux system running net filter, with some general accept/deny iptable rules. Where do packets arrive first? Is it at the libpcap packet sniffing interface or the netfilter framework?
Thanks in advance
Author: heba, Location: Cremona (Italy)Posted: Thu Jul 09, 2009 9:10 am Post subject: ---- hi,
depend if you have installed a modem or a router.
Modem
Internet -> modem -> libpcap packet sniffer-> netfilter
I have explain in great details, I hope it is enough, otherwise I remedy and tell about it more.
Author: abrahamj, Posted: Tue Sep 21, 2010 4:37 am Post subject: ---- I think that packet arrive at firewall first.
Author: Sgt_B, Location: Chicago, IL USPosted: Tue Sep 21, 2010 3:08 pm Post subject: ---- Actually libpcap will see the packet before it is handled by netfilter. So if your iptables denies ICMP and you try to ping the host, tcpdump will show the ICMP echo requests but the firewall will dump the traffic.
Now, I can't remember offhand, but I think the prerouting chain might be different. So if you do some NATing, prerouting might muck with the packet before libpcap sees it. Not positive so test it out on your own if that's important for your results.