Apologies if this question has been asked many times before. I want to set up SNAT on my firewall, and I want to block incoming packets that have destination addresses that actually exist on the LAN. That is, I want to accept incoming packets only if they are part of an SNAT connection, not if they are addressed directly to one of the local computers. Adding a rule to the FORWARD chain in the filter table won't work, because at that point the destination address has already been converted to the destination computer's actual address (hence there's no way to tell which packets should be dropped). Would a rule in the PREROUTING chain of the mangle table work? If not, what should I do to detect and drop the packets I don't want? Thanks, Alan Stern
