I am using iptable rules to filter & manipulate packets in my Ubuntu server. but I cannot understand the mangle table.
Quoting from this iptables tutorial:
This table should as we've already noted mainly be used for mangling packets. In other words, you may freely use the mangle matches etc that could be used to change TOS (Type Of Service) fields and so on.
You are strongly advised not to use this table for any filtering; nor will any DNAT, SNAT or Masquerading work in this table.
Can anybody describe to me the mangle table, and provide some examples to understand when I should use it?
Further to the other good answers, I recently had to use the mangle table to adjust for MTU (maximum transmission unit) discrepancies caused by traffic being brought through PPPoE, PPP, and ATM, each of which adds overhead that reduces the payload available for IP from the usual 1500 bytes of an Ethernet frame.
Systems on each end of the pipe, as is normal, would have their MTU at the regular default of 1500 and so they would try to send IP frames that large. Since the actual payload size available was smaller, this would have caused packet fragmentation, except that often the sender will request that packets not be fragmented, and as such they end up getting dropped entirely.
In an ideal world, path MTU discovery would have allowed the endpoints to adjust their MTU down as needed, but this discovery depends upon ICMP, and networks outside of my control were often configured to drop ICMP for security reasons.
The only choice was to use packet mangling in my router in order to modify TCP SYN packets to lower the maximum segment size at the transport layer:
This sort of thing is messy and ideally should be avoided, but I had no other options and this did solve the problem.
Hope these examples help, as well as the man page.
I recently found a good explanation here. It is basically used to set specific headers for IP packets to affect the routing decision made further on. If any, the TTL option is probably the most interesting:
The other targets are
TOS, MARK, SECMARK, CONNSECMARK
.As an iptables noob, I'd say: The mangle table allows to modify some special entries in the header of packets. (such: Type of Service, Time To Live ) (it also allows to set special marks and security context marks)
There is a good deep dive but not too difficult to understand tutorial on iptables here.
Helped me a lot, as it also clearly explains how all the parts fit together and interract with one another.