LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-11-2012, 04:31 PM   #1
danoelke
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Rep: Reputation: Disabled
iptables not getting it to drop packets


I want to drop packets at different rates for different port numbers. So, I used iptables to set up the following rules:

$ sudo iptables -v -L
Chain INPUT (policy ACCEPT 1156 packets, 70130 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1139 packets, 1364K bytes)
pkts bytes target prot opt in out source destination
0 0 per1 tcp -- any any anywhere anywhere tcp spt:9000
386 545K per5 tcp -- any any anywhere anywhere tcp spt:9001
671 948K per10 tcp -- any any anywhere anywhere tcp spt:9002

Chain per1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere statistic mode random probability 0.010000

Chain per10 (1 references)
pkts bytes target prot opt in out source destination
122 171K DROP all -- any any anywhere anywhere statistic mode random probability 0.200000

Chain per5 (1 references)
pkts bytes target prot opt in out source destination
12 17280 DROP all -- any any anywhere anywhere statistic mode random probability 0.050000


As you can see port 9000 should drop 1%, 9001 should drop 5% and 9002 20%.
Because the statistics are going up for those user defined chains I assume that the packets should be dropped.

However, I set up a webserver on each of those ports and then on another machine I would do a wget of a file from that server. On that other machine I would also run wireshark to see what was going on. From what I could see it didn't appear that the packets were being dropped. I would look at sequence numbers and they all seemed to increment up smoothly with no retransmissions.

So - What am I missing? Is there some reason that the user defined chain isn't really dropping the packet?

Thanks!
Dan
 
Old 04-12-2012, 03:20 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
Try it out with something easier to track first, maybe icmp?
Works fine for me on debian, and I see the drop counter go up and the pings drop.

Code:
num pkts bytes target  prot opt in     out   source   destination
38   18  2476  DROP    icmp  --  eth1   *    x.x.x.x   0.0.0.0/0    statistic mode random probability 0.200000
For a moment there I thought it was buggy... To test with ssh i connected to the dropping machine and then forgot about it and proceeded to test pings again. Ofcourse it didn't drop anything as the packets didn't match the rule and were sourced locally
 
Old 04-19-2012, 11:17 AM   #3
danoelke
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
I did eventually find that the problem was not my iptables configuration, but instead that there was a "transparent" proxy between the two machines. That proxy would see the dropped packets and do the TCP retransmissions and by the time it got to the other end, everything looked like there were no lost packets.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
drop packets (not iptables) in C / C++ IdealVithVodka Programming 10 05-30-2010 05:37 PM
iptables drop packets as invalid between 2 end-network connected through VPN nass Linux - Server 1 03-05-2010 09:56 AM
drop packets for specific port with iptables ohcarol Linux - Security 1 07-03-2005 10:48 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
drop incoming/outgoing packets using iptables doshiaj Linux - Security 1 06-08-2004 10:38 AM


All times are GMT -5. The time now is 09:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration