Re: NAT, MANGLE, and TOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

SBlaze wrote:

--- Daniel Chemko <dchemko@xxxxxxxxxx> wrote:


Good point. Is there any reason I shouldn't put my rules on the mangle POSTROUTING table and kill 2 birds with one rule?


None that I can see, though I must admit that I swear sometimes I see
packets missing POSTROUGING; though, I blame that on my bogon ray
generator, and not Netfilter itself.




Ok let me hop back in here... and mke sure I understand this so I don't insert
bad rules in my firewall...

Jeff reccomends...

iptables -t mangle -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08

Ok I can see that this is making TOS changes for http service on the TCP
protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as
being useful if you have cooperative routers between you and the peer user...



This rule only changes the TOS for those packets generated by the fw box itself. Any packets that the fw box is forwarding from other boxes would be unaffected.

but Daniel reccomends...

You probably want this on the FORWARD chain to boost the performance of
your actual client machines instead of just the firewall.

Why place it in the FOWARD chain?



The mangle FORWARD chain handles traffic between your LAN and the outside world. If you're firewalling a single box this chain isn't used.

Question back at Jeff here too...

Is the OUTPUT chain really the right place for me? I mean yes I know it would
be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My
NAT goes through ....

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x

so how could I go about changing the TOS of SNAATed packets? Is it even
possible?




Daniel is correct. The OUTPUT chain is not the right place to mangle if the goal is to improve the speed of the LAN since it only effects packets generated by the fw box. You need to put your mangle rules on either the mangle FORWARD chain or the mangle POSTROUTING chain. Try not to be confused by the fact that each table (filter, nat, mangle) has chains that use the same name. They are not the same chains. This explains the flow of packets better than I ever could:

http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html

Jeff


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux