On Sun, Apr 03, 2005 at 11:25:42PM -0300, Guido Lorenzutti wrote: > Hi people, i would like to clean up my firewall script by creating new > chains in the filter table. Like this: > > iptables -N FORWARD_WAN_TO_LAN > > Then, call the traffic in the FORWARD chain: > > iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN > > Now how can i discriminate the DNATed packets from that rule? It's OK if > i MARK them in the PREROUTING chain and create a rule BEFORE in the > FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN? > > Any better ideas? MARK-ing is a pretty decent general-purpose way of keeping track of where a packet has been. in your case--if you need to find all DNAT-ed packets, you could use the more specialized: "-m conntrack --ctstate DNAT" to match a DNAT-ed packet. -- "Baby needs to suck ash. Baby needs to suck ash. Not ass, you pervert. Save it for the interns." --Family Guy
