Quote:
Originally Posted by
unclecameron
why would (..) along with /etc/hosts.deny rule of (..) not stop traffic to/from 180.x.x.x, which I still see by running iftop?
First of all tcp_wrappers may be considered complementary in a multi-layered approach to network access restrictions but there's a fundamental difference between tcp_wrappers and Netfilter. The first works only at the application level (and only if the application was compiled with -libwrap) and the latter works at the network level, meaning no interaction with any application.
In short: Netfilter = "must have", tcp_wrappers = "nice to have".
As for your question you show isolated rules, no rule counters and no evidence of traffic, meaning your rule could be placed below a rule that already accepts traffic or you haven't killed or restarted the network process or didn't reset individual connections so you might be seeing already established connections.
Quote:
Originally Posted by
unclecameron
Or could iftop just be showing an artifact and is there a better way to monitor connections real-time?
I doubt that. Iftop uses the libpcap ('man 3 pcap') framework for data handling just like tcpdump, Wireshark or say nmap.