The PREROUTING/POSTROUTING chains exists for manipulating packets, not filtering purposes. You cannot use the 'nat' table for filtering. This table only receives the first packet of any new connection. The 'nat' table is specifically designed for NAT rules, nothing else. There is also a PREROUTING chain in the 'mangle' table. This is intended for setting nfmark values and similar things, not really filtering. But theoretically you can do filtering there if you like. Officially filtering should be done in the FORWARD/INPUT/OUTPUT chains of the 'filter' table. FORWARD for bridged packets, INPUT for packets addressed to the bridge itself and OUTPUT for packets sent from the bridge itself. Until NAT is fully working in bridging the PREROUTING/POSTROUTINGchains is of quite limited use. Just stick to FORWARD for bridge filtering rules and you should be set. When NAT is working then PREROUTING/POSTROUTING of the 'nat' table will become quite important for managing NAT rules as outlined in the netfilter HOWTO. There should be no difference between routing or a bridging for how you implement netfilter rulesets. -- Henrik Nordstrom MARA Systems AB Sweden _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
