I have couple of chains and rules for filter table -N TCP_IN -N TCP_OUT -N UDP_IN -N UDP_OUT -N ICMP_IN -N ICMP_OUT -N P1_IN -N P1_OUT -N P2_IN -N P2_OUT -A FORWARD -d IP_OF_P1 -j P1_IN -A FORWARD -s IP_OF_P1 -j P1_OUT -A FORWARD -d IP_OF_P1 -j P1_IN -A FORWARD -s IP_OF_P1 -j P1_OUT -A FORWARD -j LOG --log-prefix "NOT_FORWARDED " -A FORWARD -j DROP -A P1_IN -t TCP -j TCP_IN -A P1_IN -t UDP -j UDP_IN -A P1_IN -t ICMP -j ICMP_IN -A P1_IN -j RETURN -A TCP_IN -t TCP --dport 80 -J ACCPET -A TCP_IN -j RETURN For any tcp packet that going to P1 and don't have destination port 80: returned to P1_IN chain from TCP_IN chain, then after returned to FORWARD chain from P1_IN, and finally dropping the packet after kept log. Am I right? MOhammad
