From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-144126-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 72F8313826B
	for <garchives@archives.gentoo.org>; Thu,  3 Jan 2013 03:52:41 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8672121C04A;
	Thu,  3 Jan 2013 03:52:27 +0000 (UTC)
Received: from svr-us4.tirtonadi.com (svr-us4.tirtonadi.com [69.65.43.212])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E968721C027
	for <gentoo-user@lists.gentoo.org>; Thu,  3 Jan 2013 03:50:51 +0000 (UTC)
Received: from mail-da0-f48.google.com ([209.85.210.48]:46063)
	by svr-us4.tirtonadi.com with esmtpsa (TLSv1:RC4-SHA:128)
	(Exim 4.80)
	(envelope-from <pandu@poluan.info>)
	id 1TqbpT-001hVe-Jm
	for gentoo-user@lists.gentoo.org; Thu, 03 Jan 2013 10:50:51 +0700
Received: by mail-da0-f48.google.com with SMTP id k18so6757475dae.35
        for <gentoo-user@lists.gentoo.org>; Wed, 02 Jan 2013 19:50:50 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.68.227.41 with SMTP id rx9mr149203133pbc.121.1357185050159;
 Wed, 02 Jan 2013 19:50:50 -0800 (PST)
Received: by 10.68.248.66 with HTTP; Wed, 2 Jan 2013 19:50:49 -0800 (PST)
Received: by 10.68.248.66 with HTTP; Wed, 2 Jan 2013 19:50:49 -0800 (PST)
In-Reply-To: <50E48222.5050509@orlitzky.com>
References: <50E43853.20203@libertytrek.org>
	<50E48222.5050509@orlitzky.com>
Date: Thu, 3 Jan 2013 10:50:49 +0700
Message-ID: <CAA2qdGVFPyiAR0ACBSxQXMj4Z8rp7S0ykHFi5TmOM1+4pejXEA@mail.gmail.com>
Subject: Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or
 do I need it)?
From: Pandu Poluan <pandu@poluan.info>
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary=e89a8ff1ce76cf297004d25a4424
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - svr-us4.tirtonadi.com
X-AntiAbuse: Original Domain - lists.gentoo.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - poluan.info
X-Get-Message-Sender-Via: svr-us4.tirtonadi.com: authenticated_id: rileyer+pandu.poluan.info/only user confirmed/virtual account not confirmed
X-Archives-Salt: 461c0302-a3a6-49b3-b08d-ac0d1af04f61
X-Archives-Hash: f244e598a2993cab75910665ccde6832

--e89a8ff1ce76cf297004d25a4424
Content-Type: text/plain; charset=UTF-8

On Jan 3, 2013 1:57 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 01/02/13 08:38, Tanstaafl wrote:
> > Hi all,
> >
> > This has been bugging me for a while...
> >
> > I've googled, and can't seem to find a definitive answer to this
> > question...
> >
> > Lots of references to the Mangle table, but nothing that really explains
> > what this table is or does, and when or why I would want/need it.
> >
>
> It allows you to mangle the low level bits of a packet. You only need it
> for routing gymnastics.
>
>
> > Currently, I have this in my rules (since forever, honestly don't even
> > remember where it came from):
> >
> > *mangle
> > :PREROUTING ACCEPT [1378800222:449528056411]
> > :INPUT ACCEPT [1363738727:447358082301]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [1221121261:1103241097263]
> > :POSTROUTING ACCEPT [1221116979:1103240864155]
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> > DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > COMMIT
> > # Completed on Sun Dec 11 14:11:01 2011
> >
>
> The PREROUTING table happens before the routing decision is made. So
> those rules happen before the network stack decides what to do with a
> packet.
>
> Suppose, for example, that you forward all packets from your LAN to
> wherever they're supposed to go. You might want to alter the source IP
> of VPN traffic (which a priori is not from the LAN interface) so that it
> appears to come from the LAN before you decide whether or not to forward
it.
>
> The POSTROUTING table is similar, only it happens after the packet's
> destination is set in stone. So you can, say, change the source IP
> address in the packet and still have it routed wherever it was going to
> go originally.
>
>
> > This is on a mail/web server with a static IP, it does not do any NAT
> > and does not act as a perimeter firewall, it only protects itself...
> >
> > Thanks for any pointers to tfm that explains this if there is one, or
> > just for a simple explanation if not...
> >
>
> I don't know what you were trying to do there, but it doesn't sound like
> you need it. You might have been trying to block packets in an invalid
> state. If so, consider using conntrack's --ctstate INVALID to drop them
> instead.
>

Just to add some references...

When dealing with iptables (and its kissing cousin, ebtables), I always
find these diagrams to be most helpful:

Definitive: http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png

Complementary: http://linux-ip.net/nf/nfk-traversal.png

Rgds,
--

--e89a8ff1ce76cf297004d25a4424
Content-Type: text/html; charset=UTF-8

<p><br>
On Jan 3, 2013 1:57 AM, &quot;Michael Orlitzky&quot; &lt;<a href="mailto:michael@orlitzky.com">michael@orlitzky.com</a>&gt; wrote:<br>
&gt;<br>
&gt; On 01/02/13 08:38, Tanstaafl wrote:<br>
&gt; &gt; Hi all,<br>
&gt; &gt;<br>
&gt; &gt; This has been bugging me for a while...<br>
&gt; &gt;<br>
&gt; &gt; I&#39;ve googled, and can&#39;t seem to find a definitive answer to this<br>
&gt; &gt; question...<br>
&gt; &gt;<br>
&gt; &gt; Lots of references to the Mangle table, but nothing that really explains<br>
&gt; &gt; what this table is or does, and when or why I would want/need it.<br>
&gt; &gt;<br>
&gt;<br>
&gt; It allows you to mangle the low level bits of a packet. You only need it<br>
&gt; for routing gymnastics.<br>
&gt;<br>
&gt;<br>
&gt; &gt; Currently, I have this in my rules (since forever, honestly don&#39;t even<br>
&gt; &gt; remember where it came from):<br>
&gt; &gt;<br>
&gt; &gt; *mangle<br>
&gt; &gt; :PREROUTING ACCEPT [1378800222:449528056411]<br>
&gt; &gt; :INPUT ACCEPT [1363738727:447358082301]<br>
&gt; &gt; :FORWARD ACCEPT [0:0]<br>
&gt; &gt; :OUTPUT ACCEPT [1221121261:1103241097263]<br>
&gt; &gt; :POSTROUTING ACCEPT [1221116979:1103240864155]<br>
&gt; &gt; -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG<br>
&gt; &gt; FIN,PSH,URG -j DROP<br>
&gt; &gt; -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j<br>
&gt; &gt; DROP<br>
&gt; &gt; -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP<br>
&gt; &gt; -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP<br>
&gt; &gt; COMMIT<br>
&gt; &gt; # Completed on Sun Dec 11 14:11:01 2011<br>
&gt; &gt;<br>
&gt;<br>
&gt; The PREROUTING table happens before the routing decision is made. So<br>
&gt; those rules happen before the network stack decides what to do with a<br>
&gt; packet.<br>
&gt;<br>
&gt; Suppose, for example, that you forward all packets from your LAN to<br>
&gt; wherever they&#39;re supposed to go. You might want to alter the source IP<br>
&gt; of VPN traffic (which a priori is not from the LAN interface) so that it<br>
&gt; appears to come from the LAN before you decide whether or not to forward it.<br>
&gt;<br>
&gt; The POSTROUTING table is similar, only it happens after the packet&#39;s<br>
&gt; destination is set in stone. So you can, say, change the source IP<br>
&gt; address in the packet and still have it routed wherever it was going to<br>
&gt; go originally.<br>
&gt;<br>
&gt;<br>
&gt; &gt; This is on a mail/web server with a static IP, it does not do any NAT<br>
&gt; &gt; and does not act as a perimeter firewall, it only protects itself...<br>
&gt; &gt;<br>
&gt; &gt; Thanks for any pointers to tfm that explains this if there is one, or<br>
&gt; &gt; just for a simple explanation if not...<br>
&gt; &gt;<br>
&gt;<br>
&gt; I don&#39;t know what you were trying to do there, but it doesn&#39;t sound like<br>
&gt; you need it. You might have been trying to block packets in an invalid<br>
&gt; state. If so, consider using conntrack&#39;s --ctstate INVALID to drop them<br>
&gt; instead.<br>
&gt;</p>
<p>Just to add some references... </p>
<p>When dealing with iptables (and its kissing cousin, ebtables), I always find these diagrams to be most helpful:</p>
<p>Definitive: <a href="http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png">http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png</a></p>
<p>Complementary: <a href="http://linux-ip.net/nf/nfk-traversal.png">http://linux-ip.net/nf/nfk-traversal.png</a></p>
<p>Rgds, <br>
--<br>
</p>

--e89a8ff1ce76cf297004d25a4424--