4

On my machine I want that only 50% packets will receive.

I am working on centOS 5.5.

For that I searched on net. I got IPtables. I used random patch of IPtables.

Command

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP

Output

iptables v1.3.5: Couldn't load match `random':/lib64/iptables/libipt_random.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

But above shows that that library is missing.

Then, How can I drop 50 % packets of the total. Please correct my above method or suggest new one.

Tell me how to add these libraries into the IPtables existing package. [I tried, but these libraries is not found on internet]

Edit No. 1

I further need logging for the dropped packets, so I changed my iptables ruleset as follows:

iptables -L -n -v output is [this is running on system 1]

Chain INPUT (policy ACCEPT 1875K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 random_drops  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           statistic mode random probability 0.500000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2121K packets, 206M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain random_drops (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `dropped randomly: '
   23  2392 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Then I run a script (This script is running on system 2 in two instances to create more traffic)

while [ 1 ]; do
    rsh a.b.c.d pwd;
done

on two systems. But there is no log formed.

  1. /var/log/messages permission is -rw------- root:root.
  2. /var/log/syslog is not present.

What am I missing?

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
devsda
  • 137
  • 1
  • 1
  • 7
  • What OS are you using, debian, ubuntu? – NickW Mar 21 '13 at 10:21
  • @NickW centOS 5.5 – devsda Mar 21 '13 at 10:22
  • What happens if you use `-m statistic --mode random` instead of `-m random`? – NickW Mar 21 '13 at 10:23
  • @NickW statistic is also missing. – devsda Mar 21 '13 at 10:25
  • You really should be looking into [`netem`](http://www.linuxfoundation.org/collaborate/workgroups/networking/netem#Packet_loss) for simulations of network conditions. – the-wabbit Mar 21 '13 at 10:27
  • In the meantime, try installing iptables-sources. Here's one possibility: http://pkgs.org/centos-5-rhel-5/centalt-i386/iptables-sources-1.3.5-5.el5.noarch.rpm.html – NickW Mar 21 '13 at 10:29
  • @NickW I have iptables-1.3.5-5.3.el5_4.1.x86_64.rpm rpm for IPtables. I am working on centOS. – devsda Mar 21 '13 at 10:33
  • @syneticon-dj When I run `tc qdisc change dev eth0 root netem loss 0.1%` command it shows `RTNETLINK answers: No such file or directory` – devsda Mar 21 '13 at 10:37
  • I know, which is why I recommended you install that package, it's a rhel5 rpm for obtaining the modules you want.. – NickW Mar 21 '13 at 10:39
  • @NickW When I try to uninstall previous installed rpms, it fails . It said `error: Failed dependencies: iptables = 1.3.5 is needed by (installed) iptables-ipv6-1.3.5-5.3.el5_4.1.x86_64 iptables is needed by (installed) iptstate-1.4-2.el5.x86_64 iptables >= 1.2.8 is needed by (installed) system-config-securitylevel-tui-1.6.29.1-6.el5.x86_64. `. What to do then? – devsda Mar 21 '13 at 10:51
  • Skip it and figure out how to get netem working I guess :) – NickW Mar 21 '13 at 10:54
  • @NickW But netem also showing error, show in above comments please. Help me. I need this setup. – devsda Mar 21 '13 at 10:56
  • @NickW Can I install iptables that you suggested over installed one? – devsda Mar 21 '13 at 10:57
  • 1
    let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8010/discussion-between-nickw-and-jhamb) – NickW Mar 21 '13 at 11:03
  • The trouble in your [Edit No. 1] section seems to be that you are logging/dropping ICMP traffic but the `rsh` executions would induce TCP traffic - so there simply is nothing that is caught by the rules (the number of "pkts" in `iptables -L -v -n` output is telling you how often this rule has matched since creation or counter reset - yours has matched 23 times which is not all that much for an endless loop). Other than that, as this is a different problem, it is best to ask a different question. – the-wabbit Mar 22 '13 at 13:26

2 Answers2

6

CentOS 5.5 does neither have the ipt_random nor the ipt_statistic modules preinstalled. You might revert to the CentosALT repository (excuse my Russian) and use the readily compiled statistic module from there:

wget http://centos.alt.ru/repository/centos/5/x86_64/centalt-release-5-3.noarch.rpm
# [...]
rpm -Uvh centalt-release*rpm
# [...]
yum install ipt_statistic

and running

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m statistic --mode random --probability 0.50 -j DROP

should yield the rule you want.

Note from the Netem documentation:

Caveats

When loss is used locally (not on a bridge or router), the loss is reported to the upper level protocols. This may cause TCP to resend and behave as if there was no loss. When testing protocol reponse to loss it is best to use a netem on a bridge or router

although this obviously would not apply as long as you are just DROPping in the INPUT chain.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Very well explained. Can you tell me netem installaion also. As it shows `RTNETLINK answers: No such file or directory ` by running command `tc qdisc change dev eth0 root netem loss 0.1%`. [I am in root right now] – devsda Mar 21 '13 at 14:19
  • When I tested the instructions that you said in the chat by putting `rsh` command in infinity on three systems, and run that scripts on all three. But there is no log formed. [ ONCE LOG IS FORMED IN THE BEGINNING, THEN I CLEAN THAT /VAR/LOG/MESSAGES BY `: > /var/log/messages`. BUT AFTER THAT NO LOG IS FORMED]. why this happens, help me please. – devsda Mar 22 '13 at 06:45
  • Check edit no. 1, that shows all my process. – devsda Mar 22 '13 at 07:21
  • I solved the problem, when I reboot, all things are going fine. – devsda Mar 22 '13 at 08:39
  • By using above command, we can drop 50% packets of all coming on machine. Am i right ? But when I run above script on systems, it gets answer, why? It should print only 5 outputs , if the while loop iterates 10 times. If I am wrong , correct me please . – devsda Mar 22 '13 at 13:50
  • @jhamb as already noted, the given iptables rule only would affect ICMP traffic. As `rsh` is using TCP for its connections, it would be entirely unaffected. If you would exchange `-p icmp` by `-p tcp` it *would* be affected but as TCP has own algorithms to handle packet loss, you likely would not see *"just 5 successful connections out of 10"* but simply significantly slowed down connection and reaction times (resulting from timeouts and retransmissions). – the-wabbit Mar 22 '13 at 22:56
  • What about `--icmp-type`. Is it also required to replace with `--tcp-type` ? – devsda Mar 24 '13 at 08:37
  • @jhamb no, there is no `tcp-type` option to the TCP protocol handler in iptables. If you only want it to affect rsh traffic, you should add a `--dport 514`. For other selectors, take a look at the iptables man page and examples available on the net - for example [these ones](http://www.thegeekstuff.com/2011/06/iptables-rules-examples/) – the-wabbit Mar 24 '13 at 23:42
0

This is a kernel configuration issue. See iptables-extensions(8), it explains the statistic module:

iptables ... -m statistic --mode random --probability 0.5 ...

(fill in ... as required).

This is kernel configuration CONFIG_NETFILTER_XT_MATCH_STATISTIC, set to module here (Fedora 18, kernel-3.8.3-201.fc18.x86_64, iptables-1.4.16.2-5.fc18.x86_64). There is no matching ipt_statistic shared object around for the iptables userland executable.

vonbrand
  • 1,149
  • 2
  • 8
  • 16
  • He would need to go through the Kernel compilation procedure which he appears unfamiliar with. It is so much easier to install a package. – the-wabbit Mar 22 '13 at 13:30
  • What package, if a kernel with the correct configuration is needed? – vonbrand Mar 22 '13 at 13:32
  • you do not need to reconfigure the kernel, what you need is the module binary matching the kernel's version. Take a look at my answer - the CentOSALT repository is maintaining this very module as a package. – the-wabbit Mar 22 '13 at 13:37