LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 03-11-2010, 10:17 AM   #1
hdinn
LQ Newbie
 
Registered: Jul 2009
Posts: 24

Rep: Reputation: 15
Problem on applying iptables rules


hello everybody,

I have a problem with iptables.WELL....wehen i put this rule

Code:
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 6 -j DROP
and when i sniff with WireShark it gives me 6 udp dropped correctly.

But when i apply dropping 6 times with only one packet

Code:
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
iptables -A FORWARD -p udp --dport 8200 -m limit --limit-burst 1 -j DROP
with wireshark gives 7,8 or even 9 packets dropped ((((

where is the problem pleaaaaase HELP ME.
 
Old 03-11-2010, 11:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Can't explain that behaviour but having six similar rules in a row in one chain makes no sense: decisions are made on a "first match wins" basis. Listing your ruleset with "-vnx" should show the counters of the similar next rules stay at zero.
 
0 members found this post helpful.
Old 03-11-2010, 11:19 AM   #3
hdinn
LQ Newbie
 
Registered: Jul 2009
Posts: 24

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Can't explain that behaviour but having six similar rules in a row in one chain makes no sense: decisions are made on a "first match wins" basis. Listing your ruleset with "-vnx" should show the counters of the similar next rules stay at zero.
Yes freind,me too i can't explain it,but i'm trying to develop an application with QT librabries which configure netfilter with iptables commands,so i will be common to have 6 rules in one CHAINE (((

so is there a solution for that???!!!

I really need it freinds.....
 
Old 03-12-2010, 02:06 AM   #4
hdinn
LQ Newbie
 
Registered: Jul 2009
Posts: 24

Original Poster
Rep: Reputation: 15
hey friends no answer on my qustion????!!!!
 
Old 03-12-2010, 08:13 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
As limit uses a token bucket filter I'd say that the refresh rate is set to low. Something like this

first package is matched by rule 1
second = rule 2
.
.
fifth package is matched by rule 5
first rules bucket gains a token.
sixth package is matched by rule 1

Maybe try with less rules to see at which point the rules misbehave
 
Old 03-12-2010, 10:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by hdinn View Post
so i will be common to have 6 rules in one CHAINE (((
I said having six similar rules makes no sense. You can have as much rules as memory allows.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Applying iptables firewall rules failed ? eboy98 Linux - Security 11 02-19-2010 03:30 AM
[iptables] - Applying rules to a specific local IP? lew Linux - Networking 1 08-10-2009 01:55 AM
Applying iptables rules / don't seem to work once I change them jonwondering Linux - Newbie 24 10-24-2008 09:40 PM
Applying iptables rules to multiple subnets eggi Linux - Networking 2 01-04-2006 10:29 PM
Applying firewall rules to user account Beerer Linux - Security 0 01-10-2005 03:42 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration