How I do it is that I have a piece of software that generates my entire ruleset according to set criteria. Everytime there is a change the entire ruleset is regenerated and then installed by iptables-restore in one atomic operation (well, one atomic operation per table.. would be nice if there was atomic operations for modify all the tables to ensure a always consistent state between nat/filter/mangle..)
If your criteria is simply "to get the packet through no matter what", then inserting the needed rules at the top of the relevant iptables chains is sufficient. If your criteria is more complex then full understanding of your ruleset is most likely required. In fact, even for the simple case, full understanding of your ruleset is most likely required due to the split stages of netfilter and iptables.. (DNAT, filter, SNAT) Regards Henrik On Monday 20 May 2002 19:20, Glover George wrote: > I understand this. Maybe there's a better way to do what I'm > trying to do. I simply have a port forward I want to add, but I > want a piece of software to be able to know where to place that > rule an ensure that the packet will get through. Come to think of > it, I know it may scare people, but if my intent is to get the > packet through no matter what, then adding it at rule 1 > (considering the fact that the rule will always have a tcp ip/port > pair to a tcp/ip port pair, or udp ip/port pair to udp ip/port > pair), then it should always get trhough. I'm specifying protocol > and ip/port pairs, so there's not a lot that I should be worried > about other than malformed packets, but then the kernel deals with > that right?
