LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Problem on applying iptables rules (https://www.linuxquestions.org/questions/programming-9/problem-on-applying-iptables-rules-794726/)

hdinn 03-11-2010 10:17 AM
Problem on applying iptables rules
 
hello everybody,

I have a problem with iptables.WELL....wehen i put this rule

Code:
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 6 -j DROP
and when i sniff with WireShark it gives me 6 udp dropped correctly.

But when i apply dropping 6 times with only one packet

Code:
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
with wireshark gives 7,8 or even 9 packets dropped :(((((

where is the problem pleaaaaase HELP ME.

unSpawn 03-11-2010 11:01 AM
Can't explain that behaviour but having six similar rules in a row in one chain makes no sense: decisions are made on a "first match wins" basis. Listing your ruleset with "-vnx" should show the counters of the similar next rules stay at zero.

hdinn 03-11-2010 11:19 AM
Quote:
Originally Posted by unSpawn (Post 3894440)
Can't explain that behaviour but having six similar rules in a row in one chain makes no sense: decisions are made on a "first match wins" basis. Listing your ruleset with "-vnx" should show the counters of the similar next rules stay at zero.
Yes freind,me too i can't explain it,but i'm trying to develop an application with QT librabries which configure netfilter with iptables commands,so i will be common to have 6 rules in one CHAINE :((((

so is there a solution for that???!!!

I really need it freinds.....

hdinn 03-12-2010 02:06 AM
hey friends no answer on my qustion????!!!!

zhjim 03-12-2010 08:13 AM
As limit uses a token bucket filter I'd say that the refresh rate is set to low. Something like this

first package is matched by rule 1
second = rule 2
.
.
fifth package is matched by rule 5
first rules bucket gains a token.
sixth package is matched by rule 1

Maybe try with less rules to see at which point the rules misbehave

unSpawn 03-12-2010 10:50 AM
Quote:
Originally Posted by hdinn (Post 3894469)
so i will be common to have 6 rules in one CHAINE :((((
I said having six similar rules makes no sense. You can have as much rules as memory allows.


All times are GMT -5. The time now is 01:23 PM.