Again: you can NOT test it this way! tcpdump will show you all packets even when you are dropping them in the filter. I know this is sometimes a nuisance. It is difficult to test if your filters are working. When your filter has the structure of: - some packets dropped - some other packets dropped - more packets dropped - all remaining packets accepted (note that this is normally not a preferred structure of your blocklist) you can work around it by inserting a rule like this just before the last ACCEPT rule (or at the end of the table when the default setting is ACCEPT, again not a preferred situation): iptables -A INPUT -i tunl0 -j NFLOG --nflog-group 44 This will send the packets to a "netfilter logging" interface where you can trace it with: tshark -i nflog:44 (I don't think tcpdump supports dumping nflog interfaces but this may depend on version) The result of this is that all packets that have already been dropped above that rule will not reach the NFLOG target and will not be traced when you trace nflog:44. However, it is normally preferred to work with a "default drop" setup. You accept all packets that you know you want to accept, and drop everything else at the end of the table. This makes it less likely that things pass by that you did not think about, like other protocols than TCP and UDP. It is still possible to have NFLOG logging of everything that is accepted, by first creating a helper table like this: iptables -N NFLOGACCEPT iptables -A NFLOGACCEPT -j NFLOG --nflog-group 44 iptables -A NFLOGACCEPT -j ACCEPT Then you setup your filter table like this: iptables -A INPUT -i tunl0 -..... -j NFLOGACCEPT iptables -A INPUT -i tunl0 -..... -j NFLOGACCEPT iptables -A INPUT -i tunl0 -j DROP Rob