* Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
@ 2013-01-02 19:01 99% ` Mick
0 siblings, 0 replies; 1+ results
From: Mick @ 2013-01-02 19:01 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1915 bytes --]
On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
> Hi all,
>
> This has been bugging me for a while...
>
> I've googled, and can't seem to find a definitive answer to this
> question...
>
> Lots of references to the Mangle table, but nothing that really explains
> what this table is or does, and when or why I would want/need it.
>
> Currently, I have this in my rules (since forever, honestly don't even
> remember where it came from):
>
> *mangle
>
> :PREROUTING ACCEPT [1378800222:449528056411]
> :INPUT ACCEPT [1363738727:447358082301]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1221121261:1103241097263]
> :POSTROUTING ACCEPT [1221116979:1103240864155]
>
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Sun Dec 11 14:11:01 2011
>
> This is on a mail/web server with a static IP, it does not do any NAT
> and does not act as a perimeter firewall, it only protects itself...
>
> Thanks for any pointers to tfm that explains this if there is one, or
> just for a simple explanation if not...
The rules you show above do not do any mangling. They just filter out packets
during prerouting with certain tcp flags. You would mangle packets if you
needed to change some headers, e.g. ToS field and TTL. You could also set a
MARK value so that you can thereafter process the MARK'ed packet accordingly
(e.g. limit bandwidth for such packets, or do some fancy routing for them)
If you have a look at 'man iptables-extensions' it gives some examples of
using -t mangle.
I haven't looked in Google recently, but there should be some examples there
too.
--
Regards,
Mick
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3898 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2013-01-02 13:38 [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)? Tanstaafl
2013-01-02 19:01 99% ` Mick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox