On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: > Hi all, > > This has been bugging me for a while... > > I've googled, and can't seem to find a definitive answer to this > question... > > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, and when or why I would want/need it. > > Currently, I have this in my rules (since forever, honestly don't even > remember where it came from): > > *mangle > > :PREROUTING ACCEPT [1378800222:449528056411] > :INPUT ACCEPT [1363738727:447358082301] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1221121261:1103241097263] > :POSTROUTING ACCEPT [1221116979:1103240864155] > > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > FIN,PSH,URG -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j > DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > COMMIT > # Completed on Sun Dec 11 14:11:01 2011 > > This is on a mail/web server with a static IP, it does not do any NAT > and does not act as a perimeter firewall, it only protects itself... > > Thanks for any pointers to tfm that explains this if there is one, or > just for a simple explanation if not...
The rules you show above do not do any mangling. They just filter out packets during prerouting with certain tcp flags. You would mangle packets if you needed to change some headers, e.g. ToS field and TTL. You could also set a MARK value so that you can thereafter process the MARK'ed packet accordingly (e.g. limit bandwidth for such packets, or do some fancy routing for them) If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. -- Regards, Mick
smime.p7s
Description: S/MIME cryptographic signature
