The TOS target is used to set the Type of
Service field within the IP header. The TOS
field consists of 8 bits which are used to help in routing
packets. This is one of the fields that can be used directly within
iproute2 and its subsystem for routing policies. Worth
noting, is that if you handle several separate firewalls and routers,
this is the only way to propagate routing information within the actual packet
between these routers and firewalls. As previously noted, the
MARK target - which sets a MARK
associated with a specific packet - is only available within the kernel, and
can't be propagated with the packet. If you feel a need to propagate routing
information for a specific packet or stream, you should therefore set the
TOS field, which was developed for this.
There are currently a lot of routers on the Internet which do a pretty bad job
at this, so as of now it may prove to be a bit useless to attempt
TOS mangling before sending the packets on to the
Internet. At best the routers will not pay any attention to the
TOS field. At worst, they will look at the
TOS field and do the wrong thing. However, as stated
above, the TOS field can most definitely be put to
good use if you have a large WAN or
LAN with multiple routers. You then in fact have the
possibility of giving packets different routes and preferences, based on their
TOS value - even though this might be confined to
your own network.
The TOS target is only capable of setting specific values,
or named values on packets. These predefined TOS
values can be found in the kernel include files, or more precisely, the
Linux/ip.h file. The reasons are many, and you should
actually never need to set any other values; however, there are ways around
this limitation. To get around the limitation of only being able to set the
named values on packets, you can use the FTOS patch available at the Paksecured
Linux Kernel patches site maintained by
Matthew G. Marsh. However, be cautious with this patch! You should not need to
use any other than the default values, except in extreme cases.
Note that this target is only valid within the
mangle table and can't be used outside it.
Also note that some old versions (1.2.2 or below) of iptables provided a
broken implementation of this target which did not fix the packet checksum
upon mangling, hence rendering the packets bad and in need of retransmission.
That in turn would most probably lead to further mangling and the connection
never working.
The TOS target only takes one option as described
below.
Table 11-14. TOS target
Option
--set-tos
Example
iptables -t mangle -A PREROUTING -p TCP --dport 22 -j
TOS --set-tos 0x10
Explanation
The --set-tos option tells the
TOS mangler what TOS value to set
on
packets that are matched. The option takes a numeric value, either in hex or
in
decimal value. As the TOS value consists of 8 bits,
the
value may be 0-255, or in hex 0x00-0xFF. Note that in the standard TOS target
you are limited to using the named values available (which should be more or
less standardized), as mentioned in the previous warning. These values are
Minimize-Delay (decimal value 16, hex value
0x10), Maximize-Throughput (decimal value 8,
hex value 0x08), Maximize-Reliability
(decimal value 4, hex value 0x04),
Minimize-Cost (decimal value 2, hex 0x02) or
Normal-Service (decimal value 0, hex value
0x00). The default value on most packets is
Normal-Service, or 0. Note that you can, of
course, use the actual names instead of the actual hex values to set the
TOS value; in fact this is generally to be
recommended, since the values associated with the names may be changed in
future. For a complete listing of the "descriptive values", do an
iptables -j TOS -h. This listing is complete as of iptables
1.2.5 and should hopefully remain so for a while.
