Yeah, I figured that out while iteratively trying to get this to work. I guess I was using that command as more of a pseudocommand in the context of this email. I've tried putting *roughly* the same rule into filter:OUTPUT filter:FORWARD and nat:PREROUTING and each time I either got a complaint from iptables or when I tried to modify the rule to "fit" into the above mentioned chains it never worked (matched any packets). Do I have to bounce this packet from one table to another to get this to work? >iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 10000:11000 -j REJECT --reject-with icmp-host-unreachable > >The above command returns with "Invalid Argument". REJECT is to be used in -t filter. Jan Engelhardt --
