search for: ip_external

Hy lartc members, I only ACCEPT 7 IP''s in FORWARD chain, filtering by IP and MAC. Everything worked fine until i needed to forward ports. The problem is that the nat PREROUTING chain is traversed before the filter FORWARD chain and this way the packets change their source and are not allowed to pass FORWARD that is restricted to only 7 IPs. I use this rules to

...ook input priority 0; policy drop;} chain output {type filter hook output priority 0; policy drop;} } chain input { type filter hook input priority filter; policy drop; iifname "lo" accept ct state established,related accept ct state new ip daddr $ip_external tcp sport 1024-65535 tcp dport { 22, 80, 443, 8080 } accept } there is more rules but this is for simplicity. I am trying to achieve a redirect of blocked IPs/CIDR to port 8080. If I understand correctly "nat prerouting" is before routing decision and thus before "filter input&quot...