Hi, >I know that, but I want to hook my rules _after_ the nat table >postrouting chain. (I want to catch packets with private source address >which are not NATed due to misconfiguration of my complex NAT setup.) Some time ago you could simply add DROP at the end of nat postrouting chain, but this option is off the table. You can add rule connmarking traffic to 0x10 at the end of nat postrouting chain and drop everything with that connmark in filter forward chain. First packet of the filtered flows would get trough but everything would be axed. Best regards, Marek Kierdelewicz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
