Hi! > Mangle table postrouting chain is an appropriate place. Filtering would > take place before nat table postrouting chain (nat table is consulted > only for the first packet of the flow). I know that, but I want to hook my rules _after_ the nat table postrouting chain. (I want to catch packets with private source address which are not NATed due to misconfiguration of my complex NAT setup.) Have a nice fortnight -- Martin `MJ' Mares <mj@xxxxxx> http://mj.ucw.cz/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth "Oh no, not again!" -- The bowl of petunias -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html