From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
Date: Wed, 2 Jan 2013 19:01:58 +0000 [thread overview]
Message-ID: <201301021902.22880.michaelkintzios@gmail.com> (raw)
In-Reply-To: <50E43853.20203@libertytrek.org>
[-- Attachment #1: Type: Text/Plain, Size: 1915 bytes --]
On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
> Hi all,
>
> This has been bugging me for a while...
>
> I've googled, and can't seem to find a definitive answer to this
> question...
>
> Lots of references to the Mangle table, but nothing that really explains
> what this table is or does, and when or why I would want/need it.
>
> Currently, I have this in my rules (since forever, honestly don't even
> remember where it came from):
>
> *mangle
>
> :PREROUTING ACCEPT [1378800222:449528056411]
> :INPUT ACCEPT [1363738727:447358082301]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1221121261:1103241097263]
> :POSTROUTING ACCEPT [1221116979:1103240864155]
>
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Sun Dec 11 14:11:01 2011
>
> This is on a mail/web server with a static IP, it does not do any NAT
> and does not act as a perimeter firewall, it only protects itself...
>
> Thanks for any pointers to tfm that explains this if there is one, or
> just for a simple explanation if not...
The rules you show above do not do any mangling. They just filter out packets
during prerouting with certain tcp flags. You would mangle packets if you
needed to change some headers, e.g. ToS field and TTL. You could also set a
MARK value so that you can thereafter process the MARK'ed packet accordingly
(e.g. limit bandwidth for such packets, or do some fancy routing for them)
If you have a look at 'man iptables-extensions' it gives some examples of
using -t mangle.
I haven't looked in Google recently, but there should be some examples there
too.
--
Regards,
Mick
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3898 bytes --]
next prev parent reply other threads:[~2013-01-02 19:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl
2013-01-02 18:53 ` Michael Orlitzky
2013-01-03 3:50 ` Pandu Poluan
2013-01-02 19:01 ` Mick [this message]
2013-01-02 19:47 ` Tanstaafl
2013-01-03 0:14 ` Mick
2013-01-03 11:19 ` Tanstaafl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201301021902.22880.michaelkintzios@gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox