LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables not getting it to drop packets (http://www.linuxquestions.org/questions/linux-networking-3/iptables-not-getting-it-to-drop-packets-939347/)

danoelke 04-11-2012 04:31 PM

iptables not getting it to drop packets
 
I want to drop packets at different rates for different port numbers. So, I used iptables to set up the following rules:

$ sudo iptables -v -L
Chain INPUT (policy ACCEPT 1156 packets, 70130 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1139 packets, 1364K bytes)
pkts bytes target prot opt in out source destination
0 0 per1 tcp -- any any anywhere anywhere tcp spt:9000
386 545K per5 tcp -- any any anywhere anywhere tcp spt:9001
671 948K per10 tcp -- any any anywhere anywhere tcp spt:9002

Chain per1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere statistic mode random probability 0.010000

Chain per10 (1 references)
pkts bytes target prot opt in out source destination
122 171K DROP all -- any any anywhere anywhere statistic mode random probability 0.200000

Chain per5 (1 references)
pkts bytes target prot opt in out source destination
12 17280 DROP all -- any any anywhere anywhere statistic mode random probability 0.050000


As you can see port 9000 should drop 1%, 9001 should drop 5% and 9002 20%.
Because the statistics are going up for those user defined chains I assume that the packets should be dropped.

However, I set up a webserver on each of those ports and then on another machine I would do a wget of a file from that server. On that other machine I would also run wireshark to see what was going on. From what I could see it didn't appear that the packets were being dropped. I would look at sequence numbers and they all seemed to increment up smoothly with no retransmissions.

So - What am I missing? Is there some reason that the user defined chain isn't really dropping the packet?

Thanks!
Dan

nikmit 04-12-2012 03:20 AM

Try it out with something easier to track first, maybe icmp?
Works fine for me on debian, and I see the drop counter go up and the pings drop.

Code:

num pkts bytes target  prot opt in    out  source  destination
38  18  2476  DROP    icmp  --  eth1  *    x.x.x.x  0.0.0.0/0    statistic mode random probability 0.200000

For a moment there I thought it was buggy... To test with ssh i connected to the dropping machine and then forgot about it and proceeded to test pings again. Ofcourse it didn't drop anything as the packets didn't match the rule and were sourced locally :D

danoelke 04-19-2012 11:17 AM

I did eventually find that the problem was not my iptables configuration, but instead that there was a "transparent" proxy between the two machines. That proxy would see the dropped packets and do the TCP retransmissions and by the time it got to the other end, everything looked like there were no lost packets.


All times are GMT -5. The time now is 07:15 PM.