Simon Krenger

iptables ACCEPT [0:0] brackets

, by Simon Krenger

So lately I have been working a lot more with Linux networking. Consider an iptables configuration like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7752:8249066]
[..]
-A RH-Firewall-1-FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
[..]
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri Nov 21 15:44:47 2014

Ever noticed the brackets right next to the chain? What are those? What do the numbers mean?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7752:8249066]

The answer is pretty easy and pretty obvious in hindsight. These numbers report

  • packet counter for the chain
  • byte counter for the chain

So in our example above, the OUTPUT chain matched 7752 packets and 8249066 bytes.

Tags: , , ,

Hello world

My name is Simon Krenger, I am a Technical Account Manager (TAM) at Red Hat. I advise our customers in using Kubernetes, Containers, Linux and Open Source.

Blog Categories

  1. Kubernetes / OpenShift
  2. Linux
  3. MySQL
  4. Oracle
  5. Personal
  6. Windows

Elsewhere

  1. GitHub
  2. LinkedIn
  3. GitLab