So when does tagging happen? Is it before NAT? If so, then is the idea to tag it on the way out and block based on tag on the way back in?
--As for the rest, it is mine.
Tagging can be done at any time, on any rule. The idea in your case is to tag the 192.168.100.130 box's packets when it is nat'ed and then filter on the tag. This does mean you need to NAT it separately, but putting a rule to NAT just it (and tag it) just before your general NAT rule should be fine.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
