The Netfilter Mangle Table
- Oct 30, 2000
Sorry, this author hasn't posted any blogs.
This is the fourth in a series of articles on Netfilter. This article discusses Netfilter's mangle table, which allows you to queue traffic and perform other feats of magic.
In previous articles (particularly the first two), we covered enough material for a week. In this article, let's talk about the mangle table. But before we get into the mangle table, I'd like to pass on a tip: If you're creating a script to implement the rules you'll use, a good idea is to make sure that you start with a clean slate:
iptables -t nat -F ; iptables -t nat -X iptables -F ; iptables -X iptables -t mangle -F ; iptables -t mangle -X
These three lines first clean out (flush) all the rules and then delete any user-defined chains. If you use a script to implement your rules, you can use these to make sure that you start with a clean slate. A good place for this script to run would be a call from a startup script such as /etc/rc.d/rc.local, with your rules in a file such as /etc/rc.d/rc.iptables. This script should be executable and start like any other script. Because the script is run at startup, you can't assume an environment, so you'll need to full-path the call to iptables or define the environment (path).
The Mangle Table
Okay, so why would anyone want to mangle packets? Well, there are a number of reasons. The most common reason is to alter the Type of Service (TOS) field. This field is read by the Linux kernel and alters a packets priority.
The TOS field can be set to any one of five different values:
These values do exactly what they say. Basically, Linux and dedicated routers such as Cisco routers will read the TOS field and handle the packets appropriately. The most likely candidates for these particular values are these:
|
|
Minimum delay |
|
|
Maximum throughput |
|
|
Maximum reliability |
|
|
Minimum cost |
To implement this scheme, you can use this code:
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 0x04 iptables -t mangle -A PREROUTING -p tcp --sport 25 -j TOS --set-tos 0x04
Now, I know you don't want to put in 18 rules when 8 will suffice. So, let's take a look at how multiple ports can be specified in one line.
iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,23,22 -j TOS --set-tos 16 iptables -t mangle -A PREROUTING -m multiport -p tcp --sport 80,23,22 -j TOS --set-tos 16
The -m multiport match allows you to specify a comma-separated list of ports. This will allow you to write rules such as the previous ones, cutting down on the number of rules you need to write. The -m multiport option works in all tables.
Account Sign In
View your cart