From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B9AA8138258 for ; Wed, 2 Jan 2013 19:04:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 13ED221C004; Wed, 2 Jan 2013 19:03:52 +0000 (UTC) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5EDD3E0330 for ; Wed, 2 Jan 2013 19:02:39 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id dt10so6524606wgb.15 for ; Wed, 02 Jan 2013 11:02:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:reply-to:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=Xp2+4XcYjNnLEySKxJMbNpog8/IeShdQaFOAwwtKEAU=; b=Mtn0A1c5NS8N9WdYS/HpT6jsF4cLjVJN1fhg4MJzGZfPZDN96TpiWnsFJlwzD4zIiD xTX2e+h35d3R9OmMc04OyjVdpEFwO8uItaXz9aQ0jbj05h70P6+08amTjjRMWd1//HEG O7yxT0VdS/S/3OVhYkkCMfO/c08fvL3afvFatfQPUX0EmxO1lYRahEbZ01kbtarHSbv1 AB7L73snk9sKwAoDFuYxPFVhFLcF2t4gJCKYW8nnicyp8H+dOsB6LVuSaiaVV2PxVHf4 lgF5zgNIiUh21XUdQ1/GU0joSE4RGOBxtI7+WFRg2is7EuOquaa19ApX79MWKYNUcr90 AOlA== X-Received: by 10.194.236.68 with SMTP id us4mr74743098wjc.11.1357153358080; Wed, 02 Jan 2013 11:02:38 -0800 (PST) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPS id p2sm81632845wic.7.2013.01.02.11.02.35 (version=SSLv3 cipher=OTHER); Wed, 02 Jan 2013 11:02:36 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Date: Wed, 2 Jan 2013 19:01:58 +0000 User-Agent: KMail/1.13.7 (Linux/3.6.11-gentoo; KDE/4.9.3; x86_64; ; ) References: <50E43853.20203@libertytrek.org> In-Reply-To: <50E43853.20203@libertytrek.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2462438.6x3vPP83IO"; protocol="application/pkcs7-signature"; micalg=sha1 Content-Transfer-Encoding: 7bit Message-Id: <201301021902.22880.michaelkintzios@gmail.com> X-Archives-Salt: 5555e01a-a11e-4cfe-bf24-938b3458b88c X-Archives-Hash: 362d1bee43bb9ca7f2f657a28f24af89 --nextPart2462438.6x3vPP83IO Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: > Hi all, >=20 > This has been bugging me for a while... >=20 > I've googled, and can't seem to find a definitive answer to this > question... >=20 > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, and when or why I would want/need it. >=20 > Currently, I have this in my rules (since forever, honestly don't even > remember where it came from): >=20 > *mangle >=20 > :PREROUTING ACCEPT [1378800222:449528056411] > :INPUT ACCEPT [1363738727:447358082301] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1221121261:1103241097263] > :POSTROUTING ACCEPT [1221116979:1103240864155] >=20 > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > FIN,PSH,URG -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j > DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > COMMIT > # Completed on Sun Dec 11 14:11:01 2011 >=20 > This is on a mail/web server with a static IP, it does not do any NAT > and does not act as a perimeter firewall, it only protects itself... >=20 > Thanks for any pointers to tfm that explains this if there is one, or > just for a simple explanation if not... The rules you show above do not do any mangling. They just filter out pack= ets=20 during prerouting with certain tcp flags. You would mangle packets if you= =20 needed to change some headers, e.g. ToS field and TTL. You could also set = a=20 MARK value so that you can thereafter process the MARK'ed packet accordingl= y=20 (e.g. limit bandwidth for such packets, or do some fancy routing for them) If you have a look at 'man iptables-extensions' it gives some examples of=20 using -t mangle. I haven't looked in Google recently, but there should be some examples ther= e=20 too. =2D-=20 Regards, Mick --nextPart2462438.6x3vPP83IO Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMyjCCBz0w ggUloAMCAQICAQAwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDMwMzMwMTIyOTQ5WhcNMzMw MzI5MTIyOTQ5WjB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW EnN1cHBvcnRAY2FjZXJ0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM4iwOJG few2KAdQlvKgM0CMS/E7Zj8x5WsCNtvWfPbxiI9OdzYFQZX5CfASz0aGc2C3bn7owFhkrs2wrUUX DGP6Zwro1tK/PueYxPBM+uADuzVdbCHeniDZus1mMjdy+vcI9cfNWMmO5w5e6j7+HKEUChVshoRb ZGYqeqlLU3n1iKJ77i8KYSuNsn5NVqUT7Orakp6sREEeWGBlBWb4wES9y5T3Qn4L92VomFEF8PMF kQQdGxeC7MhXu8NreojxsHLMJVsgkewWAhKPMukXGEjQxwUuAjBCuCWcBWs/qjqn61NI9+jStgeY 3BvGNH9/yRyCegVYKwhb8ziiqxddZsmY154Qi6LS3XSa93EMcmDfzW+YM52WNHY+JHqSsA6VHm/m oEU4R6rXQe1KtxL21xuDig8u2Am2WdeqBP/Sk31oLt2LS6tYui+N6pWnoMNUiaX724tRIp2yw74R viyRhouWeK0g04ovGj/G0FFlhyGxGQFlf0Uch/V80EFMTymYIf0zH3UMBFH6GXfb1BQc7oHDHfWY t2kGkSLdAFDMgTGsEgd7ONpoW+Yr1H7JX63o63JM8wHlSyC/mqZXypEAAYuhdSE3tWMNZz5GT3Ag Z87F1lnbAuDw0svNumK3kEHo3SDkKbxkKULIItx4mv9D7JgbCVFLWlrCcfHEy3Op5aELAgMBAAGj ggHOMIIByjAdBgNVHQ4EFgQUFrUyG9TH8+DmjvO90rA67rI5GNEwgaMGA1UdIwSBmzCBmIAUFrUy G9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wMgYDVR0f BCswKTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDAGCWCGSAGG+EIB BAQjFiFodHRwczovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwNAYJYIZIAYb4QgEIBCcWJWh0 dHA6Ly93d3cuY2FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwVgYJYIZIAYb4QgENBEkWR1RvIGdl dCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5j YWNlcnQub3JnMA0GCSqGSIb3DQEBBAUAA4ICAQAox+6cggK6XIASyjUKHYFviWqZzPJoD3+n4Y1Y lT698gbDkFqstWD2mUMBo4hwnJ1inaSHr2dYDTA2O+atSNPLdAKGcT7iKwNo8TRiQEY7U+oo9Kz7 ZpVTik1d/TvZYNfKeWk7sWWSpsaBglyczetNAYql3xFVqhXKHzfAgphwYdtqfJajji5UPk8hqZDv 3IK/3OhFrU2Qcwg8lGWwBJl2f+K8wmoVqpcENyTYHpRObQ5RvtbEj8qWbfdD3+gwZSc7e7tDQ2PE Q/ey7GjM4RmOIvuY4XtaPgE3O4sIsKLzlU4ay5vNmrHbsnDwLUrb2LDjb0VIMxL//jwyKlT3xPeK 8Igjwkf+ZHpxwNEepmOwB36kL9MBj9yfK7bGCKkPk0gl/BL9n0Lc88Q+9lew191p0QZ3NApL0sqg /xzGjMkWvsTMMjdoc18I+1H3SVM2BQqVAkzyeRoQ9tg6dZzzHfGiDXBnhhuzFvUv5aTreYb5PQvC cwulmaxv/Ge45S8LphgkjXvRSDUpGECsk2DhloZQtHpZ2I8hC5/PgpHGO79r3AeRuZdWI6q2bJTG SAY85M5OquT2LwncU28u/HTrOmOZwqasibynskSgDYoQ42zyJMv6m59wRy7eFIvUsiAJlqJk8SQc 3KE1nBWy1LxVLn0G9ZwOVfRa1pPadq0lc0zFQzCCBYUwggNtoAMCAQICAwwzvzANBgkqhkiG9w0B AQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBv cnRAY2FjZXJ0Lm9yZzAeFw0xMjA5MDUxOTA0MTJaFw0xMzAzMDQxOTA0MTJaMEQxGDAWBgNVBAMT D0NBY2VydCBXb1QgVXNlcjEoMCYGCSqGSIb3DQEJARYZbWljaGFlbGtpbnR6aW9zQGdtYWlsLmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALu6qn08FJl2E2XYUB4jPLHBd/5VPRhe +D42A7cMMBsjwRP317MRLDj1bV9mEm50b3IL1VnDuhSnNhrJFRN8GmlLjlU2QvArEX7igBJU9svo b+xyKpLrPg+CNjibgB5iD5VuY3MfhmzMgRxmk1GlwJGynkFs2mp4DTS3BeaCjUmQ4UxCYs6YBE7a CIEjoqXiLwLnhIxT9K8bia1fqq3o4x2c+v96TbUCiC2R5tbRqMZCLRqJWrDF4VyEMjfJvyukM93Q GOyaByK5koVOW8KhgQtMDp2pOXDHWK3xyg1vOPpdYzFSh9EiD2EuwTCZEazmaoZR7JAs2IfvjQss 0AQYnyMCAwEAAaOCAUkwggFFMAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5 b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisG AQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUH MAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5j YWNlcnQub3JnL3Jldm9rZS5jcmwwJAYDVR0RBB0wG4EZbWljaGFlbGtpbnR6aW9zQGdtYWlsLmNv bTANBgkqhkiG9w0BAQUFAAOCAgEAQ0b3Laz6qPelNc5Zrjv6h8w/7nrfPykaGPxv54py0QMSQUo4 0n/G7vlb8GXQykQE38kxENarRPBtTepeQl3jzneeVUigsGcpWkbCC2/TTiJ2SlfvMnytyjx/18xr ghJFAvSdThyIfc/gEv1uJlnWn9Dim3Wu7UvQ/IAlNd9YZKZwbPFJwZTzgSOp5gxSsfKKtfzomE+Y iGpxJTqtpSAQqQf+3sJ7F1v9tmA97L7N2YyDLKSvyFIfmdUN36qGIkus/V0e0h3WRq/2tYyTqbTq JPvC5dGuisHmSUUmVZT8FNVsRRSGo4pd4Yj1LZsmwM6z8siwZ61XbVsE4Jwnyx+D9z3/oGT+dBLJ cTosZpapf/Y4V8jbx/0QZuhFKyr+p1niYOAWiQgdWcY5I8vpO3/kQDNX9J9hoVW2o6+BKoaX3/T9 hNon08S+54psBbMPQcIQNx23IFBhHLTB97Mh2b1Yprg5+vlZ7R7RzCa3bGGgpjlCjJvcQtbM24Q8 mE2Zo2b5m9/CcQJi57CGLAEmYJu/mcYHsuzO6g0HEBh5c7oLm0OgnBApRC91MSNu1Wp6mjlHdUja EbPgnLh91Dsv/KiM+y1J4sHANDxrzoa5h0h7WhihutM5shOpsjsCCAmwZkaE8OL0XpSNZCTySjr4 /0LQjUVsz6qMS86KgOcWgGgH4ssxggIyMIICLgIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBB dXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDDDO/MAkGBSsOAwIa BQCggYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMTAyMTkw MjAwWjAjBgkqhkiG9w0BCQQxFgQU8FRbK5BdZWuL6Ce15r4g5AtsjXIwKAYJKoZIhvcNAQkPMRsw GTALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEBBQAEggEAk7ESNcZOktK0FZDi hFA/w54V1kXQPECkfi+be6A8HwqKUQHG+n5D8yckeiCM792BMmKYpafY/jMky00GTY6lnaqfR3og w57VLmQCp8JmEBXiaFEmC6wXOn4vCQ9QSP7pkZf4UOHueHuyN6Nd6eWt25FaMETUZAMnn6bvl+Op EJA6QXV+GL8yc7oCpF+bZND7O3UtZesaBPBl0puGJdvmGcxIy5MAgAb2TdCaB1U8IC5vPQWChWVc Whf8oZqaOIUDx/ecZN5AECjyFGgg/IUKvoAByMrw7Yk2drlfVg+N6VdGPGMH7/DeBii8hwE0gMLg Qtvu8YtLTXv+UE7T0tbrhwAAAAAAAA== --nextPart2462438.6x3vPP83IO--