Mangle

PREROUTING

Engaged for incoming packets before any routing decision is made, suitable for DNAT.

POSTROUTING

Activated for outgoing packets after all routing decisions have been made, ideal for SNAT and masquerading.

OUTPUT

Applied to locally generated packets before they are sent out, allowing for DNAT on outgoing traffic.

Examples by Action

sudo iptables -t mangle -A POSTROUTING -j TTL --ttl-set 128

Windows 128

Cisco 255

Linux 64

Increase TTL to prevent packets from expiring prematurely:

iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 64

Decrease TTL to restrict packet reach to a specific network segment:

iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.2.0/24 -j TTL --ttl-set 32

This rule sets the TTL of outgoing packets destined for the 192.168.2.0/24 network to 32, limiting their reach to that segment.

Mark packets based on source IP for specific routing:

iptables -t mangle -A PREROUTING -i eth0 -s 192.168.1.10 -j MARK --set-mark 0x10

Mark packets based on destination port for specific firewall rules:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 0x20

This marks packets targeting port 80 with 0x20 for applying specific firewall rules later.

Disable timestamps on outgoing packets for performance optimization:

iptables -t mangle -A POSTROUTING -o eth0 -j TSOFF

Enable IP options for specific applications:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j TOS --set-tos 0x10

This sets the Type of Service (TOS) field for HTTPS traffic (port 443) to 0x10, potentially enabling specific options needed by the application.

Changing the DSCP Field of Outgoing Packets

Differentiated Services Code Point (DSCP) can be used for quality of service (QoS) purposes.

This rule sets the DSCP field for outgoing HTTP traffic to prioritize it within the network.

iptables -t mangle -A POSTROUTING -p tcp --dport 80 -j DSCP --set-dscp 32

Last updated 2 years ago