Method to drop 50% packets of the total
CentOS 5.5 does neither have the ipt_random nor the ipt_statistic modules preinstalled. You might revert to the CentosALT repository (excuse my Russian) and use the readily compiled statistic module from there:
wget http://centos.alt.ru/repository/centos/5/x86_64/centalt-release-5-3.noarch.rpm
# [...]
rpm -Uvh centalt-release*rpm
# [...]
yum install ipt_statistic
and running
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m statistic --mode random --probability 0.50 -j DROP
should yield the rule you want.
Note from the Netem documentation:
Caveats
When loss is used locally (not on a bridge or router), the loss is reported to the upper level protocols. This may cause TCP to resend and behave as if there was no loss. When testing protocol reponse to loss it is best to use a netem on a bridge or router
although this obviously would not apply as long as you are just DROPping in the INPUT chain.
Related videos on Youtube
devsda
Updated on September 18, 2022Comments
-
devsda over 1 year
On my machine I want that only 50% packets will receive.
I am working on centOS 5.5.
For that I searched on net. I got IPtables. I used random patch of IPtables.
Command
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP
Output
iptables v1.3.5: Couldn't load match `random':/lib64/iptables/libipt_random.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information.
But above shows that that library is missing.
Then, How can I drop 50 % packets of the total. Please correct my above method or suggest new one.
Tell me how to add these libraries into the IPtables existing package. [I tried, but these libraries is not found on internet]
Edit No. 1
I further need logging for the dropped packets, so I changed my iptables ruleset as follows:
iptables -L -n -v
output is [this is running on system 1]Chain INPUT (policy ACCEPT 1875K packets, 114M bytes) pkts bytes target prot opt in out source destination 23 2392 random_drops icmp -- * * 0.0.0.0/0 0.0.0.0/0 statistic mode random probability 0.500000 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2121K packets, 206M bytes) pkts bytes target prot opt in out source destination Chain random_drops (1 references) pkts bytes target prot opt in out source destination 23 2392 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `dropped randomly: ' 23 2392 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Then I run a script (This script is running on system 2 in two instances to create more traffic)
while [ 1 ]; do rsh a.b.c.d pwd; done
on two systems. But there is no log formed.
- /var/log/messages permission is -rw------- root:root.
- /var/log/syslog is not present.
What am I missing?
-
NickW about 11 yearsWhat OS are you using, debian, ubuntu?
-
devsda about 11 years@NickW centOS 5.5
-
NickW about 11 yearsWhat happens if you use
-m statistic --mode random
instead of-m random
? -
devsda about 11 years@NickW statistic is also missing.
-
the-wabbit about 11 yearsYou really should be looking into
netem
for simulations of network conditions. -
devsda about 11 years@NickW I have iptables-1.3.5-5.3.el5_4.1.x86_64.rpm rpm for IPtables. I am working on centOS.
-
NickW about 11 yearsI know, which is why I recommended you install that package, it's a rhel5 rpm for obtaining the modules you want..
-
devsda about 11 years@NickW When I try to uninstall previous installed rpms, it fails . It said
error: Failed dependencies: iptables = 1.3.5 is needed by (installed) iptables-ipv6-1.3.5-5.3.el5_4.1.x86_64 iptables is needed by (installed) iptstate-1.4-2.el5.x86_64 iptables >= 1.2.8 is needed by (installed) system-config-securitylevel-tui-1.6.29.1-6.el5.x86_64.
. What to do then? -
NickW about 11 yearsSkip it and figure out how to get netem working I guess :)
-
devsda about 11 years@NickW But netem also showing error, show in above comments please. Help me. I need this setup.
-
devsda about 11 years@NickW Can I install iptables that you suggested over installed one?
-
devsda about 11 yearsVery well explained. Can you tell me netem installaion also. As it shows
RTNETLINK answers: No such file or directory
by running commandtc qdisc change dev eth0 root netem loss 0.1%
. [I am in root right now] -
devsda about 11 yearsWhen I tested the instructions that you said in the chat by putting
rsh
command in infinity on three systems, and run that scripts on all three. But there is no log formed. [ ONCE LOG IS FORMED IN THE BEGINNING, THEN I CLEAN THAT /VAR/LOG/MESSAGES BY: > /var/log/messages
. BUT AFTER THAT NO LOG IS FORMED]. why this happens, help me please. -
devsda about 11 yearsCheck edit no. 1, that shows all my process.
-
devsda about 11 yearsI solved the problem, when I reboot, all things are going fine.
-
vonbrand about 11 yearsWhat package, if a kernel with the correct configuration is needed?
-
the-wabbit about 11 yearsyou do not need to reconfigure the kernel, what you need is the module binary matching the kernel's version. Take a look at my answer - the CentOSALT repository is maintaining this very module as a package.
-
devsda about 11 yearsBy using above command, we can drop 50% packets of all coming on machine. Am i right ? But when I run above script on systems, it gets answer, why? It should print only 5 outputs , if the while loop iterates 10 times. If I am wrong , correct me please .
-
the-wabbit about 11 years@jhamb as already noted, the given iptables rule only would affect ICMP traffic. As
rsh
is using TCP for its connections, it would be entirely unaffected. If you would exchange-p icmp
by-p tcp
it would be affected but as TCP has own algorithms to handle packet loss, you likely would not see "just 5 successful connections out of 10" but simply significantly slowed down connection and reaction times (resulting from timeouts and retransmissions). -
devsda about 11 yearsWhat about
--icmp-type
. Is it also required to replace with--tcp-type
? -
the-wabbit about 11 years@jhamb no, there is no
tcp-type
option to the TCP protocol handler in iptables. If you only want it to affect rsh traffic, you should add a--dport 514
. For other selectors, take a look at the iptables man page and examples available on the net - for example these ones