travelling the tables and chains...
opie at 817west.com
Tue Apr 5 06:28:28 CEST 2005
On Sun, Apr 03, 2005 at 11:25:42PM -0300, Guido Lorenzutti wrote:
> Hi people, i would like to clean up my firewall script by creating new
> chains in the filter table. Like this:
> iptables -N FORWARD_WAN_TO_LAN
> Then, call the traffic in the FORWARD chain:
> iptables -A FORWARD -i $WAN -o $LAN -j FORWARD_WAN_TO_LAN
> Now how can i discriminate the DNATed packets from that rule? It's OK if
> i MARK them in the PREROUTING chain and create a rule BEFORE in the
> FORWARD chain to check if the packet im MARKed then -j DNATED_WAN_TO_LAN?
> Any better ideas?
MARK-ing is a pretty decent general-purpose way of keeping track of
where a packet has been. in your case--if you need to find all DNAT-ed
packets, you could use the more specialized:
"-m conntrack --ctstate DNAT"
to match a DNAT-ed packet.
"Baby needs to suck ash. Baby needs to suck ash. Not ass, you pervert.
Save it for the interns."
More information about the netfilter