What is the mangle table in iptables?
Solution 1:
Further to the other good answers, I recently had to use the mangle table to adjust for MTU (maximum transmission unit) discrepancies caused by traffic being brought through PPPoE, PPP, and ATM, each of which adds overhead that reduces the payload available for IP from the usual 1500 bytes of an Ethernet frame.
Systems on each end of the pipe, as is normal, would have their MTU at the regular default of 1500 and so they would try to send IP frames that large. Since the actual payload size available was smaller, this would have caused packet fragmentation, except that often the sender will request that packets not be fragmented, and as such they end up getting dropped entirely.
In an ideal world, path MTU discovery would have allowed the endpoints to adjust their MTU down as needed, but this discovery depends upon ICMP, and networks outside of my control were often configured to drop ICMP for security reasons.
The only choice was to use packet mangling in my router in order to modify TCP SYN packets to lower the maximum segment size at the transport layer:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
This sort of thing is messy and ideally should be avoided, but I had no other options and this did solve the problem.
Hope these examples help, as well as the man page.
Solution 2:
I recently found a good explanation here. It is basically used to set specific headers for IP packets to affect the routing decision made further on. If any, the TTL option is probably the most interesting:
The TTL target is used to change the TTL (Time To Live) field of the packet. We could tell packets to only have a specific TTL and so on. One good reason for this could be that we don't want to give ourself away to nosy Internet Service Providers. Some Internet Service Providers do not like users running multiple computers on one single connection, and there are some Internet Service Providers known to look for a single host generating different TTL values, and take this as one of many signs of multiple computers connected to a single connection.
The other targets are TOS, MARK, SECMARK, CONNSECMARK.
Solution 3:
As an iptables noob, I'd say: The mangle table allows to modify some special entries in the header of packets. (such: Type of Service, Time To Live ) (it also allows to set special marks and security context marks)
Solution 4:
There is a good deep dive but not too difficult to understand tutorial on iptables here.
The mangle table is used to alter the IP headers of the packet in various ways. For instance, you can adjust the TTL (Time to Live) value of a packet, either lengthening or shortening the number of valid network hops the packet can sustain. Other IP headers can be altered in similar ways.
This table can also place an internal kernel "mark" on the packet for further processing in other tables and by other networking tools. This mark does not touch the actual packet, but adds the mark to the kernel's representation of the packet.
Helped me a lot, as it also clearly explains how all the parts fit together and interract with one another.