View Dropped Packets

How to find out if connections are dropped after blocking an IP.

2459 views

By. Jacob

Edited: 2020-05-10 13:07

After having blocked an IP address, possibly using UFW, you might want to check if packets are actually dropped. You do not usually need to monitor this for any specific IP address, but it can still be useful when trying to determine if a firewall rule is working as intended.

To get a list of dropped packets, you can use iptables:

iptables -L ufw-user-input -v -n | grep 'DROP'

Result:

33471 2008K DROP       all  --  *      *       127.0.0.0        0.0.0.0/0           
    0     0 DROP       all  --  *      *       127.0.0.20       0.0.0.0/0

The first number is the number of packets, the second is the number of bytes. Run the command a couple of times a few minutes between, and if you notice the first number growing it means someone is trying to connect but the packets is getting dropped. If the packets is dropped, it means that your firewall rule is working.

Also observe your server log files. If your server log files is still logging requests, then it means your firewall rule is not working. In the case of UFW, this might mean that you need to prioritize your firewall rules when adding them.

To automatically block failed login attempts, you can use a tool such as fail2ban. There is rarely any use in manually blocking individual IP addresses, since the attacks themselves might be automated, and might therefor just reoccur from different IPs faster than you can ban the IPs manually.