Sunday, June 27, 2010

Enhance Linux Box Security: Iptables made easy - tutorial part 4

This time we are concern with mangle rules of iptables.
Mangling of packets is done only with NAT and is a part of the NAT process. In NAT, we can "mangle" a packet as modifying the Source IP address and Destination IP address fields of the IP header.
Format of IP PACKET



Using the mangle table of iptables we can modify the following three fields:
• Set a mark to IP packets
• TOS: the 8 bit Type Of Service field
• TTL: the 8 bit Time to live field
iptables can set a mark to IP packets that can be used internal by iproute2 for source routing and/or QoS. This internal mark, called nfmark (netfilter mark), doesn't alter any of the IP packet headers' fields. Nfmarks can be set using the MARK target in iptables, which has three options.
MARK target options:
--set-mark value Set nfmark value
--and-mark value Binary AND the nfmark with value
--or-mark value Binary OR the nfmark with value
##mark packets to 192.168.1.100 with nfmark 6:
Rule 1:
# iptables -t mangle -A POSTROUTING -d 192.168.1.100 -j MARK --set-mark 6

The TOS field is 8 bits long. Alteration of the TOS field is very useful for QoS. For this, iptables uses TOS target that has the --set-tos option.
TOS target options:
--set-tos value Set Type of Service field to one of the
following numeric or descriptive values:
Minimize-Delay 16 (0x10)
Maximize-Throughput 8 (0x08)
Maximize-Reliability 4 (0x04)
Minimize-Cost 2 (0x02)
Normal-Service 0 (0x00)
## set TOS to Maximize-Throughput for outgoing FTP data:
Rule 2:
# iptables -t mangle -A POSTROUTING -p tcp --sport 20 -j TOS --set-tos 8

The TTL field of the IP packet header is the Time To Live for that IP packet, and can be altered using the TTL target of iptables.
TTL target options
--ttl-set value Set TTL to
--ttl-dec value Decrement TTL by
--ttl-inc value Increment TTL by
Altering TTL can be useful, for example, if you want a client not to distribute Internet to others. If you set the TTL value to 1 for packets going to a certain IP address, then only the device having that IP address receives IP packets. If the packet is destined to a host behind that IP address, the TTL will be decremented and the IP packet will be dropped.
## set TTL to 1 for packets going out interface ppp0:

Rule 3:
# iptables -t mangle -I POSTROUTING -o ppp0 -j TTL --ttl-set 1
Posted by Unknown at 6/27/2010 09:22:00 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)