[LARTC] where s filtering done?

[LARTC] where s filtering done?

[Fatih Düzova]

hello,
I am trying to find where filtering is done in order to drop packets
randomly there (eg.10%of them) for a testing purpose in a school
project.
I want to do this after packet is filtered and before being sent. I d
aprreciate if you could help or suggest.
Thanks.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Kiruthika Selvamani]

filtering is done right at the place where your packet leaves qdisc
and gets read to go out of the outbound interface. Before a packet
leaves the interface it is requested from the qdisc where it is
residing. As it traverses the virtual tree in the qdisc it checks what
filters are attached to that packet and applies those filter and then
lets them out.
The link below might a give a clear picture of how traffic control works 
http://www.mnis.fr/en/support/doc/rtos/x1252.html

Kiruthika

On 6/23/05, Fatih Düzova <fduzova@gmail.com> wrote:
> hello,
> I am trying to find where filtering is done in order to drop packets
> randomly there (eg.10%of them) for a testing purpose in a school
> project.
> I want to do this after packet is filtered and before being sent. I d
> aprreciate if you could help or suggest.
> Thanks.
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Dmytro O. Redchuk]

On Thu, Jun 23, 2005 at 07:07:28PM +0300, Fatih D?zova wrote:
> hello,
> I am trying to find where filtering is done in order to drop packets
> randomly there (eg.10%of them) for a testing purpose in a school
> project.
> I want to do this after packet is filtered and before being sent. I d
> aprreciate if you could help or suggest.
I guess you could do that with iptables.

I didnt try, but `man iptables' told me about
iptables ... --match random --average <percent> ...

I use iptables-1.2.11. (Also '--match nth --every <value>' is there)

> Thanks.

-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Fatih Düzova]

Thank you for the suggestion you gave. 
Could you give me a simple example of  "iptables ... --match random
--average <percent> ..." ?, because I could not understand how to
implement it..
Thank you,

FD




On 6/24/05, Dmytro O. Redchuk <dor@ldc.net> wrote:
> On Thu, Jun 23, 2005 at 07:07:28PM +0300, Fatih D?zova wrote:
> > hello,
> > I am trying to find where filtering is done in order to drop packets
> > randomly there (eg.10%of them) for a testing purpose in a school
> > project.
> > I want to do this after packet is filtered and before being sent. I d
> > aprreciate if you could help or suggest.
> I guess you could do that with iptables.
> 
> I didnt try, but `man iptables' told me about
> iptables ... --match random --average <percent> ...
> 
> I use iptables-1.2.11. (Also '--match nth --every <value>' is there)
> 
> > Thanks.
> 
> --
>  _,-=._              /|_/|
>  `-.}   `=._,.-=-._.,  @ @._,
>     `._ _,-.   )      _,.-'
>        `    G.m-"^m`m'        Dmytro O. Redchuk
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Dmytro O. Redchuk]

On Fri, Jun 24, 2005 at 01:40:50PM +0300, Fatih D?zova wrote:
> Thank you for the suggestion you gave. 
> Could you give me a simple example of  "iptables ... --match random
> --average <percent> ..." ?, because I could not understand how to
> implement it..
> Thank you,
Mmmm... Let me try...

Oh sorry... My distro lacks libipt_random.so %)

Anyway I would try something like:

# iptables -A INPUT --match random --average 10 \
	--protocol icmp --icmp-type echo-reply -j DROP

or

# iptables -A OUTPUT --match random --average 10 \
	--protocol icmp --icmp-type echo-request -j DROP


... to achieve 10% drop of echo replies for local machine.



Sorry, I must submit a bug to bugzilla :-) see you..

> 
> FD

-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Fatih Düzova]

Thank you! you are really great. I m sure I m getting make u bored
with my questions due to being a newbie in iptables tool, but I wonder
whether it could be done on a determined IP address or a port such as
80, instead of icmp packets?
Thanks,

FD

On 6/24/05, Dmytro O. Redchuk <dor@ldc.net> wrote:
> On Fri, Jun 24, 2005 at 01:40:50PM +0300, Fatih D?zova wrote:
> > Thank you for the suggestion you gave.
> > Could you give me a simple example of  "iptables ... --match random
> > --average <percent> ..." ?, because I could not understand how to
> > implement it..
> > Thank you,
> Mmmm... Let me try...
> 
> Oh sorry... My distro lacks libipt_random.so %)
> 
> Anyway I would try something like:
> 
> # iptables -A INPUT --match random --average 10 \
>        --protocol icmp --icmp-type echo-reply -j DROP
> 
> or
> 
> # iptables -A OUTPUT --match random --average 10 \
>        --protocol icmp --icmp-type echo-request -j DROP
> 
> 
> ... to achieve 10% drop of echo replies for local machine.
> 
> 
> 
> Sorry, I must submit a bug to bugzilla :-) see you..
> 
> >
> > FD
> 
> --
>  _,-=._              /|_/|
>  `-.}   `=._,.-=-._.,  @ @._,
>     `._ _,-.   )      _,.-'
>        `    G.m-"^m`m'        Dmytro O. Redchuk
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Dmytro O. Redchuk]

On Fri, Jun 24, 2005 at 02:28:26PM +0300, Fatih D?zova wrote:
> Thank you! you are really great. I m sure I m getting make u bored
> with my questions due to being a newbie in iptables tool, but I wonder
> whether it could be done on a determined IP address or a port such as
> 80, instead of icmp packets?
> Thanks,
:-)
Surely.

(Have you ever read man iptables? Or any iptables tutorial? Would be very
helpful, really)

[-s source_addr]|[-d dest_addr] -p tcp [--sport www]|[--dport www]
instead of 
--protocol icmp --icmp-type [echo-reply]|[echo-request]

To drop some packets which are going outside to remote www from local
machine:

# iptables -A OUTPUT \
	-d <remote_IP> --dport www \
	--match random --average 10 \
	-j DROP


ps linux is great :-)

-- 
  _,-=._              /|_/|
  `-.}   `=._,.-=-._.,  @ @._,
     `._ _,-.   )      _,.-'
        `    G.m-"^m`m'        Dmytro O. Redchuk

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] where s filtering done?

[Fatih Düzova]

You saved my life!! 
I ve just read an iptables tutorial after I sent u the e-mail, and
seen how wonderful it can be. I will use it in my project for a
testing purpose on the queues created with htb.
Thank you very much!

FD

On 6/24/05, Dmytro O. Redchuk <dor@ldc.net> wrote:
> On Fri, Jun 24, 2005 at 02:28:26PM +0300, Fatih D?zova wrote:
> > Thank you! you are really great. I m sure I m getting make u bored
> > with my questions due to being a newbie in iptables tool, but I wonder
> > whether it could be done on a determined IP address or a port such as
> > 80, instead of icmp packets?
> > Thanks,
> :-)
> Surely.
> 
> (Have you ever read man iptables? Or any iptables tutorial? Would be very
> helpful, really)
> 
> [-s source_addr]|[-d dest_addr] -p tcp [--sport www]|[--dport www]
> instead of
> --protocol icmp --icmp-type [echo-reply]|[echo-request]
> 
> To drop some packets which are going outside to remote www from local
> machine:
> 
> # iptables -A OUTPUT \
>        -d <remote_IP> --dport www \
>        --match random --average 10 \
>        -j DROP
> 
> 
> ps linux is great :-)
> 
> --
>  _,-=._              /|_/|
>  `-.}   `=._,.-=-._.,  @ @._,
>     `._ _,-.   )      _,.-'
>        `    G.m-"^m`m'        Dmytro O. Redchuk
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc