How to mangle a packet(Qos) using iptables before packet is deliver out.
I successfully ip -Q 33 192.168.100.11 and capture QoS at the receiver end using wireShark
Hi Friends,
I have migrated from RHEL-5.9 to RHEL-6.5 on my server. But iptables rules are not working in RHEL-6.5 as it is working with RHEL-5.9 with the same rules. Please check my rules and details are below.
eth1 for incoming traffic
ppp0,ppp1,ppp2 and ppp3 are DSL connection and it using for outgoing traffic.
I am able to send the traffic through each line separately but could not load-balance with all ppp interfaces through iptables.
I am using iptable mangle rules to distribute the traffic.
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 0 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 1
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 1 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 2 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 3
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 4
/sbin/ip route add table ppp0 default dev ppp0
/sbin/ip route add table ppp1 default dev ppp1
/sbin/ip route add table ppp2 default dev ppp2
/sbin/ip route add table ppp3 default dev ppp3
/sbin/ip rule add fwmark 1 pref 200 table ppp1
/sbin/ip rule add fwmark 2 pref 200 table ppp2
/sbin/ip rule add fwmark 3 pref 200 table ppp3
/sbin/ip rule add fwmark 4 pref 200 table ppp0
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp3 -j MASQUERADE
/sbin/ip route app default equalize nexthop dev ppp0 nexthop dev ppp1 nexthop dev ppp2 nexthop dev ppp3
It was not working completely and after read some article to change the kernel parameter I am able to send the traffic but it is working only for some time and dropping connections without any errors.
"echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
"echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter"
"net.ipv4.conf.default.rp_filter = 2"
The same rules were working perfectly in RHEL-5.9. Do i need to change any other kernel parameter get this done?
Please let me know what are the kernel parameters have to be changed to get this working as like RHEL-5.9 ?
Thanks,
Sekar
I have a typical requirement, I want to have a converter module, that can convert UDP packet to TCP packet. And I need to do it before the packet can be processed in IP layer.
I will explain this complete scenario using an example
Lets say we have 3 machines A, B and C.
A sent an UDP packet
B received UDP packet
At B, when packet is being given to IP layer (from Link / MAC / Ethernet layer) , I want to get hold of packet. I want to delete the UDP and IP header in packet. I want to add TCP and IP header (assuming C is the destination host).
Now from B machine, packet is sent to C machine
Can somebody help me how this can be done. I am using linux machines.
Though libpcap can be one of the option (from wireshark), but it is not suitable for me because of performance reasons. I want a very light weight solution for this problem.
I'm trying to find out if Iptables supports creating jitter, like it does for packet loss. I'm using 'iptables -A INPUT -m statistic --mode random --probability 0.02 -j DROP' to simulate packet loss, but can I do something similar to create jitter? I think TC will do it, but our firmware does not support it. If there is an alternate solution, any advice would be greatly appreciated.
Hello! I hope this post get's in the right place, cause I'm a newbie @ Linux
I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
and
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
A know that that -A INPUT is for incoming packaes, -p specifies protocol TCP. But I'm unsure what -m does? Cause in the first line it is just "-m tcp" and in the second it is "-m state --state". So if someone could explant the diffrence and which one to use, I would be grateful.
And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
What happens if I get a packet destined for some service, that isn't a chain in IPTables? Take port 80 for example, will IPTables accept the packet, but drop it at the end because there isn't any hit? If you understand what I mean. If -A INPUT would be DENY istead of ACCEPT, would the packet never ever get examined further then the first line?
Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?
Thank you very much for your help, I'm just wanna be sure little how IPTables work.
Best Regards; Stefan
I am trying to set up a "Proxy Server" in Linux, without using Squid (Part of my project). However I have beginner's knowledge of iptables. I am using the following script from "http://www.aboutdebian.com/proxy.
#!/bin/sh
INTIF="eth1"
EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Question is there is no packet forwarding from eth1 to eth0 (verified from wireshark, a windows is using eth1's ip address as its default gateway)
Any help would be highly appreciated!
I am implementing a new protocol in NS2.
I stucked at a point. kindly help me.
Is it possible to make two different type of packets(containing different headers) in the same simulation
In my protocol there are two types of struct header { } . At few instances i want to use one and at other instances want to use another.One of the structure has very less fields compared to other so this would reduce the size of packet i'm sending.
Is it possible ? and if yes then how to implement that?
One patch will add changes to some files, say
common/packet.h queue/priqueue.h queue/priqueue.cc
tcl/lib/ns-lib.tcl tcl/lib/ns-default.tcl tcl/lib/ns-packet.tcl .
And the next patch may undo those first changes,
and even add something that conflicts with
the functions intended in the first patch.
A few patches are meant to live together.
Or at least have no conflicts.
Most others not.
-
I don't konw above. Help me
Hi everyone
I have a question about iptables
This line
Code:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
why there is a "-m tcp"? what does this mean? I checked some book and man, I did not find what does this mean.
Thank you very much for your help.
Hi,
So, I am learning meteor.js and signed up for a (cheap, i.e no support) VPS to host my Meteor app. Everything is running fine but I am trying to understand better how Linux works so here is my question:
I am running CentOS 7 on the VPS but it still uses iptables for its firewall.
I had to enable port 80 to access the web server. However, if I reboot the server, it stops working until I do
Code:
iptables -F
Then everything works. But I am thinking that -F might not be the best thing. I have changed the default SSH port from 22 to something else and that also works but I don't think I ever added it to the iptables rules.
If I do a port scan, the new SSH port is indicated as open as well as port 80 but others are closed as they are supposed to be.
Any idea what is doing on behind the scenes that requires iptables -F for the web access to work properly and if I shouldn't be doing iptables -F (I have it in the rc.local file), what is the right way of doing it?
(BTW, I am computer literate but not that familiar with Linux, which I am trying to learn now.)
Kamal
Can someone please help me to install Gartoon Redux 1.11 icons on my laptop? I already downloaded the file, but I'm having trouble getting the packet to be install. So if someone could help that would be great.
So far I've try the follwing to install the packet,
Downloals/Gartoon Redux 1.11/./configure
Downloads.Gartoon Redux 1.11/./configure make
Information about my system:
I'm running puppy linix Tahrpup 6.0
Thank you for your help