travelling the tables and chains...

Grant Taylor gtaylor at
Mon Apr 4 05:30:08 CEST 2005

If I understand you correctly, you are wanting traffic that is not DNATed to pass through your FORWARD_WAN_TO_LAN chain?  If that is the case you should try something like this:

iptables -A FORWARD -i $WAN -o $LAN -m state --state INVALID,NEW,UNTRACKED -j FORWARD_WAN_TO_LAN
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

This should cause all traffic (if I understand correctly) that is not recognized by DNAT... (as I type this I'm thinking SNAT, but DNAT *may* behave the same way too) be send to the FORWARD_WAN_TO_LAN and any traffic that is recognized by DNAT to be plainly ACCEPTED.

Does any one else have any comments on this?

Grant. . . .

Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new 
> chains in the filter table. Like this:
> iptables -N FORWARD_WAN_TO_LAN
> Then, call the traffic in the FORWARD chain:
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> Now how can i discriminate the DNATed packets from that rule? It's OK if 
> i MARK them in the PREROUTING chain and create a rule BEFORE in the 
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> Any better ideas?

More information about the netfilter mailing list