search for: ip_extern

...n and this way the packets change their source and are not allowed to pass FORWARD that is restricted to only 7 IPs. I use this rules to forward the port: iptables -t nat -A PREROUTING -p tcp --dport <port> -i <external NIC> -j DNAT --to <ip_intern>:<port> -d <ip_extern> iptables -t nat -A PREROUTING -p udp --dport <port> -i <external NIC> -j DNAT --to <ip_intern>:<port> -d <ip_extern> and this on the FORWARD chain that has a default policy to DROP iptables -A FORWARD -i <internal NIC> -s 192.168.1.1 -m mac --mac-source xx-x...

...ook input priority 0; policy drop;} chain output {type filter hook output priority 0; policy drop;} } chain input { type filter hook input priority filter; policy drop; iifname "lo" accept ct state established,related accept ct state new ip daddr $ip_external tcp sport 1024-65535 tcp dport { 22, 80, 443, 8080 } accept } there is more rules but this is for simplicity. I am trying to achieve a redirect of blocked IPs/CIDR to port 8080. If I understand correctly "nat prerouting" is before routing decision and thus before "filter input&qu...