Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

The Netfilter Mangle Table

  • Print
  • + Share This
This is the fourth in a series of articles on Netfilter. This article discusses Netfilter's mangle table, which allows you to queue traffic and perform other feats of magic.

This is the fourth in a series of articles on Netfilter. This article discusses Netfilter's mangle table, which allows you to queue traffic and perform other feats of magic.

In previous articles (particularly the first two), we covered enough material for a week. In this article, let's talk about the mangle table. But before we get into the mangle table, I'd like to pass on a tip: If you're creating a script to implement the rules you'll use, a good idea is to make sure that you start with a clean slate:

iptables -t nat -F ; iptables -t nat -X
iptables -F ; iptables -X
iptables -t mangle -F ; iptables -t mangle -X

These three lines first clean out (flush) all the rules and then delete any user-defined chains. If you use a script to implement your rules, you can use these to make sure that you start with a clean slate. A good place for this script to run would be a call from a startup script such as /etc/rc.d/rc.local, with your rules in a file such as /etc/rc.d/rc.iptables. This script should be executable and start like any other script. Because the script is run at startup, you can't assume an environment, so you'll need to full-path the call to iptables or define the environment (path).

The Mangle Table

Okay, so why would anyone want to mangle packets? Well, there are a number of reasons. The most common reason is to alter the Type of Service (TOS) field. This field is read by the Linux kernel and alters a packets priority.

The TOS field can be set to any one of five different values:

Minimum delay (16 or 0x10)
Maximum throughput (8 or 0x08)
Maximum reliability (4 or 0x04)
Minimum cost (2 or 0x02)
Normal service (0 or 0x00)

These values do exactly what they say. Basically, Linux and dedicated routers such as Cisco routers will read the TOS field and handle the packets appropriately. The most likely candidates for these particular values are these:

telnet, ssh, http

Minimum delay

ftp, ftp-data, scp

Maximum throughput

smtp

Maximum reliability

pop3, imap

Minimum cost

To implement this scheme, you can use this code:

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 0x04
iptables -t mangle -A PREROUTING -p tcp --sport 25 -j TOS --set-tos 0x04

Now, I know you don't want to put in 18 rules when 8 will suffice. So, let's take a look at how multiple ports can be specified in one line.

iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,23,22 -j TOS --set-tos 16
iptables -t mangle -A PREROUTING -m multiport -p tcp --sport 80,23,22 -j TOS --set-tos 16

The -m multiport match allows you to specify a comma-separated list of ports. This will allow you to write rules such as the previous ones, cutting down on the number of rules you need to write. The -m multiport option works in all tables.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.