public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
@ 2013-01-02 13:38 Tanstaafl
  2013-01-02 18:53 ` Michael Orlitzky
  2013-01-02 19:01 ` Mick
  0 siblings, 2 replies; 7+ messages in thread
From: Tanstaafl @ 2013-01-02 13:38 UTC (permalink / raw
  To: gentoo-user

Hi all,

This has been bugging me for a while...

I've googled, and can't seem to find a definitive answer to this question...

Lots of references to the Mangle table, but nothing that really explains 
what this table is or does, and when or why I would want/need it.

Currently, I have this in my rules (since forever, honestly don't even 
remember where it came from):

*mangle
:PREROUTING ACCEPT [1378800222:449528056411]
:INPUT ACCEPT [1363738727:447358082301]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1221121261:1103241097263]
:POSTROUTING ACCEPT [1221116979:1103240864155]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Sun Dec 11 14:11:01 2011

This is on a mail/web server with a static IP, it does not do any NAT 
and does not act as a perimeter firewall, it only protects itself...

Thanks for any pointers to tfm that explains this if there is one, or 
just for a simple explanation if not...


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl
@ 2013-01-02 18:53 ` Michael Orlitzky
  2013-01-03  3:50   ` Pandu Poluan
  2013-01-02 19:01 ` Mick
  1 sibling, 1 reply; 7+ messages in thread
From: Michael Orlitzky @ 2013-01-02 18:53 UTC (permalink / raw
  To: gentoo-user

On 01/02/13 08:38, Tanstaafl wrote:
> Hi all,
> 
> This has been bugging me for a while...
> 
> I've googled, and can't seem to find a definitive answer to this
> question...
> 
> Lots of references to the Mangle table, but nothing that really explains
> what this table is or does, and when or why I would want/need it.
> 

It allows you to mangle the low level bits of a packet. You only need it
for routing gymnastics.


> Currently, I have this in my rules (since forever, honestly don't even
> remember where it came from):
> 
> *mangle
> :PREROUTING ACCEPT [1378800222:449528056411]
> :INPUT ACCEPT [1363738727:447358082301]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1221121261:1103241097263]
> :POSTROUTING ACCEPT [1221116979:1103240864155]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Sun Dec 11 14:11:01 2011
> 

The PREROUTING table happens before the routing decision is made. So
those rules happen before the network stack decides what to do with a
packet.

Suppose, for example, that you forward all packets from your LAN to
wherever they're supposed to go. You might want to alter the source IP
of VPN traffic (which a priori is not from the LAN interface) so that it
appears to come from the LAN before you decide whether or not to forward it.

The POSTROUTING table is similar, only it happens after the packet's
destination is set in stone. So you can, say, change the source IP
address in the packet and still have it routed wherever it was going to
go originally.


> This is on a mail/web server with a static IP, it does not do any NAT
> and does not act as a perimeter firewall, it only protects itself...
> 
> Thanks for any pointers to tfm that explains this if there is one, or
> just for a simple explanation if not...
> 

I don't know what you were trying to do there, but it doesn't sound like
you need it. You might have been trying to block packets in an invalid
state. If so, consider using conntrack's --ctstate INVALID to drop them
instead.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl
  2013-01-02 18:53 ` Michael Orlitzky
@ 2013-01-02 19:01 ` Mick
  2013-01-02 19:47   ` Tanstaafl
  1 sibling, 1 reply; 7+ messages in thread
From: Mick @ 2013-01-02 19:01 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 1915 bytes --]

On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
> Hi all,
> 
> This has been bugging me for a while...
> 
> I've googled, and can't seem to find a definitive answer to this
> question...
> 
> Lots of references to the Mangle table, but nothing that really explains
> what this table is or does, and when or why I would want/need it.
> 
> Currently, I have this in my rules (since forever, honestly don't even
> remember where it came from):
> 
> *mangle
> 
> :PREROUTING ACCEPT [1378800222:449528056411]
> :INPUT ACCEPT [1363738727:447358082301]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1221121261:1103241097263]
> :POSTROUTING ACCEPT [1221116979:1103240864155]
> 
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Sun Dec 11 14:11:01 2011
> 
> This is on a mail/web server with a static IP, it does not do any NAT
> and does not act as a perimeter firewall, it only protects itself...
> 
> Thanks for any pointers to tfm that explains this if there is one, or
> just for a simple explanation if not...

The rules you show above do not do any mangling.  They just filter out packets 
during prerouting with certain tcp flags.  You would mangle packets if you 
needed to change some headers, e.g. ToS field and TTL.  You could also set a 
MARK value so that you can thereafter process the MARK'ed packet accordingly 
(e.g. limit bandwidth for such packets, or do some fancy routing for them)

If you have a look at 'man iptables-extensions' it gives some examples of 
using -t mangle.

I haven't looked in Google recently, but there should be some examples there 
too.
-- 
Regards,
Mick

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3898 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-02 19:01 ` Mick
@ 2013-01-02 19:47   ` Tanstaafl
  2013-01-03  0:14     ` Mick
  0 siblings, 1 reply; 7+ messages in thread
From: Tanstaafl @ 2013-01-02 19:47 UTC (permalink / raw
  To: gentoo-user

On 2013-01-02 2:01 PM, Mick <michaelkintzios@gmail.com> wrote:
> If you have a look at 'man iptables-extensions' it gives some examples of
> using -t mangle.
>
> I haven't looked in Google recently, but there should be some examples there
> too.

Oh, ok - so, if I don't have any rules that use the 'mangle' command, 
then I can safely remove mangle support from my kernel and lose the 
mangle table altogether?

Thanks guys...


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-02 19:47   ` Tanstaafl
@ 2013-01-03  0:14     ` Mick
  2013-01-03 11:19       ` Tanstaafl
  0 siblings, 1 reply; 7+ messages in thread
From: Mick @ 2013-01-03  0:14 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 665 bytes --]

On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:
> On 2013-01-02 2:01 PM, Mick <michaelkintzios@gmail.com> wrote:
> > If you have a look at 'man iptables-extensions' it gives some examples of
> > using -t mangle.
> > 
> > I haven't looked in Google recently, but there should be some examples
> > there too.
> 
> Oh, ok - so, if I don't have any rules that use the 'mangle' command,
> then I can safely remove mangle support from my kernel and lose the
> mangle table altogether?
> 
> Thanks guys...

Yes, I would think so.  You can build it as a module anyway and un/not load it 
to see if iptables starts up without errors.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-02 18:53 ` Michael Orlitzky
@ 2013-01-03  3:50   ` Pandu Poluan
  0 siblings, 0 replies; 7+ messages in thread
From: Pandu Poluan @ 2013-01-03  3:50 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2728 bytes --]

On Jan 3, 2013 1:57 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 01/02/13 08:38, Tanstaafl wrote:
> > Hi all,
> >
> > This has been bugging me for a while...
> >
> > I've googled, and can't seem to find a definitive answer to this
> > question...
> >
> > Lots of references to the Mangle table, but nothing that really explains
> > what this table is or does, and when or why I would want/need it.
> >
>
> It allows you to mangle the low level bits of a packet. You only need it
> for routing gymnastics.
>
>
> > Currently, I have this in my rules (since forever, honestly don't even
> > remember where it came from):
> >
> > *mangle
> > :PREROUTING ACCEPT [1378800222:449528056411]
> > :INPUT ACCEPT [1363738727:447358082301]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [1221121261:1103241097263]
> > :POSTROUTING ACCEPT [1221116979:1103240864155]
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> > DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > COMMIT
> > # Completed on Sun Dec 11 14:11:01 2011
> >
>
> The PREROUTING table happens before the routing decision is made. So
> those rules happen before the network stack decides what to do with a
> packet.
>
> Suppose, for example, that you forward all packets from your LAN to
> wherever they're supposed to go. You might want to alter the source IP
> of VPN traffic (which a priori is not from the LAN interface) so that it
> appears to come from the LAN before you decide whether or not to forward
it.
>
> The POSTROUTING table is similar, only it happens after the packet's
> destination is set in stone. So you can, say, change the source IP
> address in the packet and still have it routed wherever it was going to
> go originally.
>
>
> > This is on a mail/web server with a static IP, it does not do any NAT
> > and does not act as a perimeter firewall, it only protects itself...
> >
> > Thanks for any pointers to tfm that explains this if there is one, or
> > just for a simple explanation if not...
> >
>
> I don't know what you were trying to do there, but it doesn't sound like
> you need it. You might have been trying to block packets in an invalid
> state. If so, consider using conntrack's --ctstate INVALID to drop them
> instead.
>

Just to add some references...

When dealing with iptables (and its kissing cousin, ebtables), I always
find these diagrams to be most helpful:

Definitive: http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png

Complementary: http://linux-ip.net/nf/nfk-traversal.png

Rgds,
--

[-- Attachment #2: Type: text/html, Size: 3548 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
  2013-01-03  0:14     ` Mick
@ 2013-01-03 11:19       ` Tanstaafl
  0 siblings, 0 replies; 7+ messages in thread
From: Tanstaafl @ 2013-01-03 11:19 UTC (permalink / raw
  To: gentoo-user

On 2013-01-02 7:14 PM, Mick <michaelkintzios@gmail.com> wrote:
> On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:
>> Oh, ok - so, if I don't have any rules that use the 'mangle' command,
>> then I can safely remove mangle support from my kernel and lose the
>> mangle table altogether?

> Yes, I would think so.  You can build it as a module anyway and un/not load it
> to see if iptables starts up without errors.

This is a server, so no modules support at all...

But no worries, I always keep my previous kernel when upgrading, so if 
something doesn't work right, I just reboot back to the previous one... 
it has saved me more than a few times...

Thanks again


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2013-01-03 11:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl
2013-01-02 18:53 ` Michael Orlitzky
2013-01-03  3:50   ` Pandu Poluan
2013-01-02 19:01 ` Mick
2013-01-02 19:47   ` Tanstaafl
2013-01-03  0:14     ` Mick
2013-01-03 11:19       ` Tanstaafl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox