Method to drop 50% packets of the total

linux centos iptables bash packet-capture

9,243

CentOS 5.5 does neither have the ipt_random nor the ipt_statistic modules preinstalled. You might revert to the CentosALT repository (excuse my Russian) and use the readily compiled statistic module from there:

wget http://centos.alt.ru/repository/centos/5/x86_64/centalt-release-5-3.noarch.rpm
# [...]
rpm -Uvh centalt-release*rpm
# [...]
yum install ipt_statistic

and running

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m statistic --mode random --probability 0.50 -j DROP

should yield the rule you want.

Note from the Netem documentation:

Caveats

When loss is used locally (not on a bridge or router), the loss is reported to the upper level protocols. This may cause TCP to resend and behave as if there was no loss. When testing protocol reponse to loss it is best to use a netem on a bridge or router

although this obviously would not apply as long as you are just DROPping in the INPUT chain.

9,243

devsda

Updated on September 18, 2022

Comments

devsda over 1 year
On my machine I want that only 50% packets will receive.

I am working on centOS 5.5.

For that I searched on net. I got IPtables. I used random patch of IPtables.

Command
```
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP
```
Output
```
iptables v1.3.5: Couldn't load match `random':/lib64/iptables/libipt_random.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
```
But above shows that that library is missing.

Then, How can I drop 50 % packets of the total. Please correct my above method or suggest new one.

Tell me how to add these libraries into the IPtables existing package. [I tried, but these libraries is not found on internet]

Edit No. 1

I further need logging for the dropped packets, so I changed my iptables ruleset as follows:

iptables -L -n -v output is [this is running on system 1]
```
Chain INPUT (policy ACCEPT 1875K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 random_drops  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           statistic mode random probability 0.500000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2121K packets, 206M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain random_drops (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `dropped randomly: '
   23  2392 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
```
Then I run a script (This script is running on system 2 in two instances to create more traffic)
```
while [ 1 ]; do
    rsh a.b.c.d pwd;
done
```
on two systems. But there is no log formed.
1. /var/log/messages permission is -rw------- root:root.
2. /var/log/syslog is not present.
What am I missing?
- NickW about 11 years
  
  What OS are you using, debian, ubuntu?
- devsda about 11 years
  
  @NickW centOS 5.5
- NickW about 11 years
  
  What happens if you use -m statistic --mode random instead of -m random?
- devsda about 11 years
  
  @NickW statistic is also missing.
- the-wabbit about 11 years
  
  You really should be looking into netem for simulations of network conditions.
- devsda about 11 years
  
  @NickW I have iptables-1.3.5-5.3.el5_4.1.x86_64.rpm rpm for IPtables. I am working on centOS.
- NickW about 11 years
  
  I know, which is why I recommended you install that package, it's a rhel5 rpm for obtaining the modules you want..
- devsda about 11 years
  
  @NickW When I try to uninstall previous installed rpms, it fails . It said error: Failed dependencies: iptables = 1.3.5 is needed by (installed) iptables-ipv6-1.3.5-5.3.el5_4.1.x86_64 iptables is needed by (installed) iptstate-1.4-2.el5.x86_64 iptables >= 1.2.8 is needed by (installed) system-config-securitylevel-tui-1.6.29.1-6.el5.x86_64. . What to do then?
- NickW about 11 years
  
  Skip it and figure out how to get netem working I guess :)
- devsda about 11 years
  
  @NickW But netem also showing error, show in above comments please. Help me. I need this setup.
- devsda about 11 years
  
  @NickW Can I install iptables that you suggested over installed one?
devsda about 11 years

Very well explained. Can you tell me netem installaion also. As it shows RTNETLINK answers: No such file or directory by running command tc qdisc change dev eth0 root netem loss 0.1%. [I am in root right now]
devsda about 11 years

When I tested the instructions that you said in the chat by putting rsh command in infinity on three systems, and run that scripts on all three. But there is no log formed. [ ONCE LOG IS FORMED IN THE BEGINNING, THEN I CLEAN THAT /VAR/LOG/MESSAGES BY : > /var/log/messages. BUT AFTER THAT NO LOG IS FORMED]. why this happens, help me please.
devsda about 11 years

Check edit no. 1, that shows all my process.
devsda about 11 years

I solved the problem, when I reboot, all things are going fine.
vonbrand about 11 years

What package, if a kernel with the correct configuration is needed?
the-wabbit about 11 years

you do not need to reconfigure the kernel, what you need is the module binary matching the kernel's version. Take a look at my answer - the CentOSALT repository is maintaining this very module as a package.
devsda about 11 years

By using above command, we can drop 50% packets of all coming on machine. Am i right ? But when I run above script on systems, it gets answer, why? It should print only 5 outputs , if the while loop iterates 10 times. If I am wrong , correct me please .
the-wabbit about 11 years

@jhamb as already noted, the given iptables rule only would affect ICMP traffic. As rsh is using TCP for its connections, it would be entirely unaffected. If you would exchange -p icmp by -p tcp it would be affected but as TCP has own algorithms to handle packet loss, you likely would not see "just 5 successful connections out of 10" but simply significantly slowed down connection and reaction times (resulting from timeouts and retransmissions).
devsda about 11 years

What about --icmp-type. Is it also required to replace with --tcp-type ?
the-wabbit about 11 years

@jhamb no, there is no tcp-type option to the TCP protocol handler in iptables. If you only want it to affect rsh traffic, you should add a --dport 514. For other selectors, take a look at the iptables man page and examples available on the net - for example these ones