Linux – Method to drop 50% packets of the total

bashcentosiptableslinuxpacket-capture

On my machine I want that only 50% packets will receive.

I am working on centOS 5.5.

For that I searched on net. I got IPtables. I used random patch of IPtables.

Command

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m random --average 50 -j DROP

Output

iptables v1.3.5: Couldn't load match `random':/lib64/iptables/libipt_random.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

But above shows that that library is missing.

Then, How can I drop 50 % packets of the total. Please correct my above method or suggest new one.

Tell me how to add these libraries into the IPtables existing package. [I tried, but these libraries is not found on internet]

Edit No. 1

I further need logging for the dropped packets, so I changed my iptables ruleset as follows:

iptables -L -n -v output is [this is running on system 1]

Chain INPUT (policy ACCEPT 1875K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 random_drops  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           statistic mode random probability 0.500000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2121K packets, 206M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain random_drops (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  2392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `dropped randomly: '
   23  2392 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Then I run a script (This script is running on system 2 in two instances to create more traffic)

while [ 1 ]; do
    rsh a.b.c.d pwd;
done

on two systems. But there is no log formed.

  1. /var/log/messages permission is -rw——- root:root.
  2. /var/log/syslog is not present.

What am I missing?

Best Answer

CentOS 5.5 does neither have the ipt_random nor the ipt_statistic modules preinstalled. You might revert to the CentosALT repository (excuse my Russian) and use the readily compiled statistic module from there:

wget http://centos.alt.ru/repository/centos/5/x86_64/centalt-release-5-3.noarch.rpm
# [...]
rpm -Uvh centalt-release*rpm
# [...]
yum install ipt_statistic

and running

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m statistic --mode random --probability 0.50 -j DROP

should yield the rule you want.

Note from the Netem documentation:

Caveats

When loss is used locally (not on a bridge or router), the loss is reported to the upper level protocols. This may cause TCP to resend and behave as if there was no loss. When testing protocol reponse to loss it is best to use a netem on a bridge or router

although this obviously would not apply as long as you are just DROPping in the INPUT chain.

Related Topic