Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
Date: Wed, 02 Jan 2013 19:04:05
Message-Id: 201301021902.22880.michaelkintzios@gmail.com
In Reply to: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? by Tanstaafl
1 On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
2 > Hi all,
3 >
4 > This has been bugging me for a while...
5 >
6 > I've googled, and can't seem to find a definitive answer to this
7 > question...
8 >
9 > Lots of references to the Mangle table, but nothing that really explains
10 > what this table is or does, and when or why I would want/need it.
11 >
12 > Currently, I have this in my rules (since forever, honestly don't even
13 > remember where it came from):
14 >
15 > *mangle
16 >
17 > :PREROUTING ACCEPT [1378800222:449528056411]
18 > :INPUT ACCEPT [1363738727:447358082301]
19 > :FORWARD ACCEPT [0:0]
20 > :OUTPUT ACCEPT [1221121261:1103241097263]
21 > :POSTROUTING ACCEPT [1221116979:1103240864155]
22 >
23 > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
24 > FIN,PSH,URG -j DROP
25 > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
26 > DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
27 > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
28 > COMMIT
29 > # Completed on Sun Dec 11 14:11:01 2011
30 >
31 > This is on a mail/web server with a static IP, it does not do any NAT
32 > and does not act as a perimeter firewall, it only protects itself...
33 >
34 > Thanks for any pointers to tfm that explains this if there is one, or
35 > just for a simple explanation if not...
36
37 The rules you show above do not do any mangling. They just filter out packets
38 during prerouting with certain tcp flags. You would mangle packets if you
39 needed to change some headers, e.g. ToS field and TTL. You could also set a
40 MARK value so that you can thereafter process the MARK'ed packet accordingly
41 (e.g. limit bandwidth for such packets, or do some fancy routing for them)
42
43 If you have a look at 'man iptables-extensions' it gives some examples of
44 using -t mangle.
45
46 I haven't looked in Google recently, but there should be some examples there
47 too.
48 --
49 Regards,
50 Mick

Attachments

File name MIME type
smime.p7s application/pkcs7-signature

Replies

Subject Author
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl <tanstaafl@×××××××××××.org>
Report Message
Find on MARC Find on Google Groups