* [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? @ 2013-01-02 13:38 Tanstaafl 2013-01-02 18:53 ` Michael Orlitzky 2013-01-02 19:01 ` Mick 0 siblings, 2 replies; 7+ messages in thread From: Tanstaafl @ 2013-01-02 13:38 UTC (permalink / raw To: gentoo-user Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. Currently, I have this in my rules (since forever, honestly don't even remember where it came from): *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT # Completed on Sun Dec 11 14:11:01 2011 This is on a mail/web server with a static IP, it does not do any NAT and does not act as a perimeter firewall, it only protects itself... Thanks for any pointers to tfm that explains this if there is one, or just for a simple explanation if not... ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl @ 2013-01-02 18:53 ` Michael Orlitzky 2013-01-03 3:50 ` Pandu Poluan 2013-01-02 19:01 ` Mick 1 sibling, 1 reply; 7+ messages in thread From: Michael Orlitzky @ 2013-01-02 18:53 UTC (permalink / raw To: gentoo-user On 01/02/13 08:38, Tanstaafl wrote: > Hi all, > > This has been bugging me for a while... > > I've googled, and can't seem to find a definitive answer to this > question... > > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, and when or why I would want/need it. > It allows you to mangle the low level bits of a packet. You only need it for routing gymnastics. > Currently, I have this in my rules (since forever, honestly don't even > remember where it came from): > > *mangle > :PREROUTING ACCEPT [1378800222:449528056411] > :INPUT ACCEPT [1363738727:447358082301] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1221121261:1103241097263] > :POSTROUTING ACCEPT [1221116979:1103240864155] > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > FIN,PSH,URG -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j > DROP > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > COMMIT > # Completed on Sun Dec 11 14:11:01 2011 > The PREROUTING table happens before the routing decision is made. So those rules happen before the network stack decides what to do with a packet. Suppose, for example, that you forward all packets from your LAN to wherever they're supposed to go. You might want to alter the source IP of VPN traffic (which a priori is not from the LAN interface) so that it appears to come from the LAN before you decide whether or not to forward it. The POSTROUTING table is similar, only it happens after the packet's destination is set in stone. So you can, say, change the source IP address in the packet and still have it routed wherever it was going to go originally. > This is on a mail/web server with a static IP, it does not do any NAT > and does not act as a perimeter firewall, it only protects itself... > > Thanks for any pointers to tfm that explains this if there is one, or > just for a simple explanation if not... > I don't know what you were trying to do there, but it doesn't sound like you need it. You might have been trying to block packets in an invalid state. If so, consider using conntrack's --ctstate INVALID to drop them instead. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-02 18:53 ` Michael Orlitzky @ 2013-01-03 3:50 ` Pandu Poluan 0 siblings, 0 replies; 7+ messages in thread From: Pandu Poluan @ 2013-01-03 3:50 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 2728 bytes --] On Jan 3, 2013 1:57 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote: > > On 01/02/13 08:38, Tanstaafl wrote: > > Hi all, > > > > This has been bugging me for a while... > > > > I've googled, and can't seem to find a definitive answer to this > > question... > > > > Lots of references to the Mangle table, but nothing that really explains > > what this table is or does, and when or why I would want/need it. > > > > It allows you to mangle the low level bits of a packet. You only need it > for routing gymnastics. > > > > Currently, I have this in my rules (since forever, honestly don't even > > remember where it came from): > > > > *mangle > > :PREROUTING ACCEPT [1378800222:449528056411] > > :INPUT ACCEPT [1363738727:447358082301] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [1221121261:1103241097263] > > :POSTROUTING ACCEPT [1221116979:1103240864155] > > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > > FIN,PSH,URG -j DROP > > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j > > DROP > > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > > COMMIT > > # Completed on Sun Dec 11 14:11:01 2011 > > > > The PREROUTING table happens before the routing decision is made. So > those rules happen before the network stack decides what to do with a > packet. > > Suppose, for example, that you forward all packets from your LAN to > wherever they're supposed to go. You might want to alter the source IP > of VPN traffic (which a priori is not from the LAN interface) so that it > appears to come from the LAN before you decide whether or not to forward it. > > The POSTROUTING table is similar, only it happens after the packet's > destination is set in stone. So you can, say, change the source IP > address in the packet and still have it routed wherever it was going to > go originally. > > > > This is on a mail/web server with a static IP, it does not do any NAT > > and does not act as a perimeter firewall, it only protects itself... > > > > Thanks for any pointers to tfm that explains this if there is one, or > > just for a simple explanation if not... > > > > I don't know what you were trying to do there, but it doesn't sound like > you need it. You might have been trying to block packets in an invalid > state. If so, consider using conntrack's --ctstate INVALID to drop them > instead. > Just to add some references... When dealing with iptables (and its kissing cousin, ebtables), I always find these diagrams to be most helpful: Definitive: http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png Complementary: http://linux-ip.net/nf/nfk-traversal.png Rgds, -- [-- Attachment #2: Type: text/html, Size: 3548 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl 2013-01-02 18:53 ` Michael Orlitzky @ 2013-01-02 19:01 ` Mick 2013-01-02 19:47 ` Tanstaafl 1 sibling, 1 reply; 7+ messages in thread From: Mick @ 2013-01-02 19:01 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: Text/Plain, Size: 1915 bytes --] On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: > Hi all, > > This has been bugging me for a while... > > I've googled, and can't seem to find a definitive answer to this > question... > > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, and when or why I would want/need it. > > Currently, I have this in my rules (since forever, honestly don't even > remember where it came from): > > *mangle > > :PREROUTING ACCEPT [1378800222:449528056411] > :INPUT ACCEPT [1363738727:447358082301] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1221121261:1103241097263] > :POSTROUTING ACCEPT [1221116979:1103240864155] > > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > FIN,PSH,URG -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j > DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > COMMIT > # Completed on Sun Dec 11 14:11:01 2011 > > This is on a mail/web server with a static IP, it does not do any NAT > and does not act as a perimeter firewall, it only protects itself... > > Thanks for any pointers to tfm that explains this if there is one, or > just for a simple explanation if not... The rules you show above do not do any mangling. They just filter out packets during prerouting with certain tcp flags. You would mangle packets if you needed to change some headers, e.g. ToS field and TTL. You could also set a MARK value so that you can thereafter process the MARK'ed packet accordingly (e.g. limit bandwidth for such packets, or do some fancy routing for them) If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. -- Regards, Mick [-- Attachment #2: smime.p7s --] [-- Type: application/pkcs7-signature, Size: 3898 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-02 19:01 ` Mick @ 2013-01-02 19:47 ` Tanstaafl 2013-01-03 0:14 ` Mick 0 siblings, 1 reply; 7+ messages in thread From: Tanstaafl @ 2013-01-02 19:47 UTC (permalink / raw To: gentoo-user On 2013-01-02 2:01 PM, Mick <michaelkintzios@gmail.com> wrote: > If you have a look at 'man iptables-extensions' it gives some examples of > using -t mangle. > > I haven't looked in Google recently, but there should be some examples there > too. Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Thanks guys... ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-02 19:47 ` Tanstaafl @ 2013-01-03 0:14 ` Mick 2013-01-03 11:19 ` Tanstaafl 0 siblings, 1 reply; 7+ messages in thread From: Mick @ 2013-01-03 0:14 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: Text/Plain, Size: 665 bytes --] On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: > On 2013-01-02 2:01 PM, Mick <michaelkintzios@gmail.com> wrote: > > If you have a look at 'man iptables-extensions' it gives some examples of > > using -t mangle. > > > > I haven't looked in Google recently, but there should be some examples > > there too. > > Oh, ok - so, if I don't have any rules that use the 'mangle' command, > then I can safely remove mangle support from my kernel and lose the > mangle table altogether? > > Thanks guys... Yes, I would think so. You can build it as a module anyway and un/not load it to see if iptables starts up without errors. -- Regards, Mick [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? 2013-01-03 0:14 ` Mick @ 2013-01-03 11:19 ` Tanstaafl 0 siblings, 0 replies; 7+ messages in thread From: Tanstaafl @ 2013-01-03 11:19 UTC (permalink / raw To: gentoo-user On 2013-01-02 7:14 PM, Mick <michaelkintzios@gmail.com> wrote: > On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: >> Oh, ok - so, if I don't have any rules that use the 'mangle' command, >> then I can safely remove mangle support from my kernel and lose the >> mangle table altogether? > Yes, I would think so. You can build it as a module anyway and un/not load it > to see if iptables starts up without errors. This is a server, so no modules support at all... But no worries, I always keep my previous kernel when upgrading, so if something doesn't work right, I just reboot back to the previous one... it has saved me more than a few times... Thanks again ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-01-03 11:21 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl 2013-01-02 18:53 ` Michael Orlitzky 2013-01-03 3:50 ` Pandu Poluan 2013-01-02 19:01 ` Mick 2013-01-02 19:47 ` Tanstaafl 2013-01-03 0:14 ` Mick 2013-01-03 11:19 ` Tanstaafl
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox
