From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
To: nf <netfilter@lists.netfilter.org>
Subject: Re: NAT, MANGLE, and TOS
Date: Thu, 23 Oct 2003 17:03:11 -0400 [thread overview]
Message-ID: <3F98420F.80902@Loudoun-Fairfax.com> (raw)
In-Reply-To: <20031023202550.91953.qmail@web40203.mail.yahoo.com>
SBlaze wrote:
>--- Daniel Chemko <dchemko@smgtec.com> wrote:
>
>
>>>Good point. Is there any reason I shouldn't put my rules on the mangle
>>>POSTROUTING table and kill 2 birds with one rule?
>>>
>>>
>>None that I can see, though I must admit that I swear sometimes I see
>>packets missing POSTROUGING; though, I blame that on my bogon ray
>>generator, and not Netfilter itself.
>>
>>
>>
>>
>Ok let me hop back in here... and mke sure I understand this so I don't insert
>bad rules in my firewall...
>
>Jeff reccomends...
>
>iptables -t mangle -A OUTPUT -p tcp -m state --state
>NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
>
>Ok I can see that this is making TOS changes for http service on the TCP
>protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as
>being useful if you have cooperative routers between you and the peer user...
>
>
This rule only changes the TOS for those packets generated by the fw box
itself. Any packets that the fw box is forwarding from other boxes would
be unaffected.
>but Daniel reccomends...
>
>You probably want this on the FORWARD chain to boost the performance of
>your actual client machines instead of just the firewall.
>
>Why place it in the FOWARD chain?
>
>
The mangle FORWARD chain handles traffic between your LAN and the
outside world. If you're firewalling a single box this chain isn't used.
>Question back at Jeff here too...
>
>Is the OUTPUT chain really the right place for me? I mean yes I know it would
>be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My
>NAT goes through ....
>
>iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x
>
>so how could I go about changing the TOS of SNAATed packets? Is it even
>possible?
>
>
>
Daniel is correct. The OUTPUT chain is not the right place to mangle if
the goal is to improve the speed of the LAN since it only effects
packets generated by the fw box. You need to put your mangle rules on
either the mangle FORWARD chain or the mangle POSTROUTING chain. Try not
to be confused by the fact that each table (filter, nat, mangle) has
chains that use the same name. They are not the same chains. This
explains the flow of packets better than I ever could:
http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html
Jeff
next prev parent reply other threads:[~2003-10-23 21:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-23 19:35 NAT, MANGLE, and TOS Daniel Chemko
2003-10-23 20:25 ` SBlaze
2003-10-23 20:47 ` Ramin Dousti
2003-10-23 21:19 ` SBlaze
2003-10-23 21:03 ` Jeffrey Laramie [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-10-23 18:30 Daniel Chemko
2003-10-23 19:01 ` Jeffrey Laramie
2003-10-23 17:56 SBlaze
2003-10-23 18:22 ` Jeffrey Laramie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F98420F.80902@Loudoun-Fairfax.com \
--to=jalaramie@loudoun-fairfax.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox