help iptables queuing

help iptables queuing

[Paridhi Bansal]

HI!!

I am using RedHat linux 7.3 with iptablesv1.2.5..I am using iptables queuing to get the packets to my application...I have used thefollowing
iptables' commands:

	iptables -t nat -A OUTPUT -j QUEUE
	iptables -t nat -A PREROUTING -j QUEUE
	iptables -t nat -A POSTROUTING -j QUEUE
	iptables -A INPUT -j QUEUE

But instead of getting all the packets,i just get first packet of every connection.For example, just first packet of TCP telnet, FTP connection (with SYN bit set and ACK not set )and not the subsequent packets.Why is this so?????

Can somebody help me with the explanation of this??????


Paridhi
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

Re: help iptables queuing

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1086 bytes --]

Hi

Is your kernel compiled with connection tracking support (either in the
kernel, or as a module)?

Ray

On Wed, 2003-06-18 at 11:38, Paridhi Bansal wrote:
> HI!!
> 
> I am using RedHat linux 7.3 with iptablesv1.2.5..I am using iptables queuing to get the packets to my application...I have used thefollowing
> iptables' commands:
> 
> 	iptables -t nat -A OUTPUT -j QUEUE
> 	iptables -t nat -A PREROUTING -j QUEUE
> 	iptables -t nat -A POSTROUTING -j QUEUE
> 	iptables -A INPUT -j QUEUE
> 
> But instead of getting all the packets,i just get first packet of every connection.For example, just first packet of TCP telnet, FTP connection (with SYN bit set and ACK not set )and not the subsequent packets.Why is this so?????
> 
> Can somebody help me with the explanation of this??????
> 
> 
> Paridhi
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: help iptables queuing

[Paridhi Bansal]

hi

how do i check that whether conn tracking module is installed or not??

Actually, this problem was not coming earlier..suddenly has it statred coming..now what is really puzzling me is that when i also queue packets from FORWARD chain(i did this just to check in case pkts were being directly sent to this chain instead of prerouting), i receive all the packets through prerouting, forward and postrouting chains..and when i change the FORWARD back to ACCEPT all without queuing, again,the same problem..i receive only the first pktof every TCP session in prerouting and postrouting chains....

Paridhi

paridhi
--=-togof5NfyiIsESYp214i
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi

Is your kernel compiled with connection tracking support (either in the
kernel, or as a module)?

Ray

On Wed, 2003-06-18 at 11:38, Paridhi Bansal wrote:
> HI!!
>=20
> I am using RedHat linux 7.3 with iptablesv1.2.5..I am using iptables queu=
ing to get the packets to my application...I have used thefollowing
> iptables' commands:
>=20
>       iptables -t nat -A OUTPUT -j QUEUE
>       iptables -t nat -A PREROUTING -j QUEUE
>       iptables -t nat -A POSTROUTING -j QUEUE
>       iptables -A INPUT -j QUEUE
>=20
> But instead of getting all the packets,i just get first packet of every c=
onnection.For example, just first packet of TCP telnet, FTP connection (wit=
h SYN bit set and ACK not set )and not the subsequent packets.Why is this s=
o?????
>=20
> Can somebody help me with the explanation of this??????
>=20
>=20
> Paridhi
--=20
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint =3D 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

--=-togof5NfyiIsESYp214i
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+8D/oh1fuR/Bv+ygRAiYjAJ4lxwkffVRq3EoL7sMgTysGLGiSQQCgnJnj
J8Gn0UxV7ikesTV83upYooA=
=5ugA
-----END PGP SIGNATURE-----

--=-togof5NfyiIsESYp214i--
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

RE: help iptables queuing

[George Vieira]

DId you use `iptables -N QUEUE` ?
Your QUEUE table would only work for tables in the "filter", so it only
works for INPUT, FORWARD and OUTPUT and not the table of "nat" table.

For some reason I couldn't create a QUEUE which different tables could cross
over.. ie. -t nat can't  -j to a QUEUE which is created in -t filter.... get
it..

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Paridhi Bansal
Sent: Wednesday, June 18, 2003 7:39 PM
To: netfilter@lists.netfilter.org
Subject: help iptables queuing


HI!!

I am using RedHat linux 7.3 with iptablesv1.2.5..I am using iptables queuing
to get the packets to my application...I have used thefollowing
iptables' commands:

	iptables -t nat -A OUTPUT -j QUEUE
	iptables -t nat -A PREROUTING -j QUEUE
	iptables -t nat -A POSTROUTING -j QUEUE
	iptables -A INPUT -j QUEUE

But instead of getting all the packets,i just get first packet of every
connection.For example, just first packet of TCP telnet, FTP connection
(with SYN bit set and ACK not set )and not the subsequent packets.Why is
this so?????

Can somebody help me with the explanation of this??????


Paridhi
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

RE: help iptables queuing

[George Vieira]

embeded

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Paridhi Bansal
Sent: Wednesday, June 18, 2003 8:49 PM
To: IPtables
Subject: Re: help iptables queuing


hi

>how do i check that whether conn tracking module is installed or not??
do a `lsmod` and check the list

Actually, this problem was not coming earlier..suddenly has it statred
coming..now what is really puzzling me is that when i also queue packets
from FORWARD chain(i did this just to check in case pkts were being directly
sent to this chain instead of prerouting), i receive all the packets through
prerouting, forward and postrouting chains..and when i change the FORWARD
back to ACCEPT all without queuing, again,the same problem..i receive only
the first pktof every TCP session in prerouting and postrouting chains....
> Don't know what exactly the problem is but I use MRTG with Iptables so I
can graph all traffic based on rules in the -N MRTG space... and it all
works fine for me.
I use `-I INPUT 1 -j MRTG` , `-I FORWARD 1 -j MRTG` , `-I OUTPUT 1 -j MRTG`
and that grabs everything.

So I don't know why yours doesn't....

RE: help iptables queuing

[Paridhi Bansal]

HI!!

When i give
iptables -I INPUT 1 -j MRTG, i get the following error:

iptables v1.2.5: Couldn't load target `MRTG':/lib/iptables/libipt_MRTG.so: cannot open shared object file: No such file or directory

how to rectify this??

and yes, ichecked ip_conntrack is installed on my m/c..

Paridhi


----- Original Message -----
From: "George Vieira" <georgev@citadelcomputer.com.au>
Date: Wed, 18 Jun 2003 21:36:23 +1000 
To: "Paridhi Bansal" <paridhibansal@mail.com>, "IPtables" <netfilter@lists.netfilter.org>
Subject: RE: help iptables queuing

> embeded
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Paridhi Bansal
> Sent: Wednesday, June 18, 2003 8:49 PM
> To: IPtables
> Subject: Re: help iptables queuing
> 
> 
> hi
> 
> >how do i check that whether conn tracking module is installed or not??
> do a `lsmod` and check the list
> 
> Actually, this problem was not coming earlier..suddenly has it statred
> coming..now what is really puzzling me is that when i also queue packets
> from FORWARD chain(i did this just to check in case pkts were being directly
> sent to this chain instead of prerouting), i receive all the packets through
> prerouting, forward and postrouting chains..and when i change the FORWARD
> back to ACCEPT all without queuing, again,the same problem..i receive only
> the first pktof every TCP session in prerouting and postrouting chains....
> > Don't know what exactly the problem is but I use MRTG with Iptables so I
> can graph all traffic based on rules in the -N MRTG space... and it all
> works fine for me.
> I use `-I INPUT 1 -j MRTG` , `-I FORWARD 1 -j MRTG` , `-I OUTPUT 1 -j MRTG`
> and that grabs everything.
> 
> So I don't know why yours doesn't....
> 
> 

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

RE: help iptables queuing

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2374 bytes --]

On Wed, 2003-06-18 at 13:46, Paridhi Bansal wrote:
> HI!!
> 
> When i give
> iptables -I INPUT 1 -j MRTG, i get the following error:
> 
> iptables v1.2.5: Couldn't load target `MRTG':/lib/iptables/libipt_MRTG.so: cannot open shared object file: No such file or directory
> 
> how to rectify this??
You need to install the MRTG P-O-M patch and recompile and install the
iptables userspace programs and libraries.

> 
> and yes, ichecked ip_conntrack is installed on my m/c..
> 
> Paridhi
> 
> 
> ----- Original Message -----
> From: "George Vieira" <georgev@citadelcomputer.com.au>
> Date: Wed, 18 Jun 2003 21:36:23 +1000 
> To: "Paridhi Bansal" <paridhibansal@mail.com>, "IPtables" <netfilter@lists.netfilter.org>
> Subject: RE: help iptables queuing
> 
> > embeded
> > 
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Paridhi Bansal
> > Sent: Wednesday, June 18, 2003 8:49 PM
> > To: IPtables
> > Subject: Re: help iptables queuing
> > 
> > 
> > hi
> > 
> > >how do i check that whether conn tracking module is installed or not??
> > do a `lsmod` and check the list
> > 
> > Actually, this problem was not coming earlier..suddenly has it statred
> > coming..now what is really puzzling me is that when i also queue packets
> > from FORWARD chain(i did this just to check in case pkts were being directly
> > sent to this chain instead of prerouting), i receive all the packets through
> > prerouting, forward and postrouting chains..and when i change the FORWARD
> > back to ACCEPT all without queuing, again,the same problem..i receive only
> > the first pktof every TCP session in prerouting and postrouting chains....
> > > Don't know what exactly the problem is but I use MRTG with Iptables so I
> > can graph all traffic based on rules in the -N MRTG space... and it all
> > works fine for me.
> > I use `-I INPUT 1 -j MRTG` , `-I FORWARD 1 -j MRTG` , `-I OUTPUT 1 -j MRTG`
> > and that grabs everything.
> > 
> > So I don't know why yours doesn't....
> > 
> > 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]