[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need iptables rule to turn off ecn on a firewall

Hanasaki JiJi wrote:
> I have used -t nat -j MASQ quite a bit and have read ALOT on the -t 
> mangle without gaining as much comprehension as I would like, and need.
> 
> Is the -t mangle used as a replacement for -t nat -j MASQ? in 
> conjunction with it? ... What would need to be done to augment/replace 
> my current rule that does iptables -t nat -A postrouting -j MASQ... ?

You use the mangle table (-t mangle) to twiddle bits in ip packets,
which is why you would mess with ECN in that table. You can do other
things in mangle like change TTLs and set marks for iproute2.

Masquerading (a type of network address translation) can only be done in
the nat table though. This is because all packets go through the mangle
table, but only packets that start a new connection go through the nat
table. Packets related to an existing connection are automatically NAT'd
like the first packet without traversing the nat table.

In summary, you only need to use mangle if you want to manipulate
packets beyond simply NATing or dropping them. ``Specialized packet
alteration,'' the manpage says.

HTH,

  Jason
Reply to: