travelling the tables and chains...

Jason Opperisano opie at
Tue Apr 5 06:28:28 CEST 2005

On Sun, Apr 03, 2005 at 11:25:42PM -0300, Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new 
> chains in the filter table. Like this:
> iptables -N FORWARD_WAN_TO_LAN
> Then, call the traffic in the FORWARD chain:
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> Now how can i discriminate the DNATed packets from that rule? It's OK if 
> i MARK them in the PREROUTING chain and create a rule BEFORE in the 
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> Any better ideas?

MARK-ing is a pretty decent general-purpose way of keeping track of
where a packet has been.  in your case--if you need to find all DNAT-ed
packets, you could use the more specialized:

  "-m conntrack --ctstate DNAT"

to match a DNAT-ed packet.

"Baby needs to suck ash. Baby needs to suck ash. Not ass, you pervert. 
 Save it for the interns."
	--Family Guy

More information about the netfilter mailing list