Not able to block a port traffic if DNAT on same port is present

I discovered a problem with the way rules are managed in IPFire.
If I have a DNAT rule to get port 14000, from any, forwarded to an internal port to a specific IP, this rule gets added to NAT_DESTINATION under nat table of iptables. Now if I want to block certain source to that port, whatever way there is to declare it, even if put as a rule higher than the other one, it will be put in INPUTFW or FORWARDFW chain under filter table, which gets evaluated after the nat table, therefore it is not possible to filter packets before they get natted!
The drop should be inside another chain or the table mangle. For the time being I added lines in firewall.local to add the drop in the mangle table.
I think this should be adressed by IPFire and the rule GUI revised, so that a rule with no nat can be executed before the nat table. Is there a better way to report this to IPFire developement team than here?
Best regards.


first, thanks for posting. :slight_smile:

Second: Yes, the Bugzilla is where we keep track of our bugs.
Your login credentials on work there as well - would you mind
opening up a bug in there?

Further information is available at

In case of question, please drop me a line.

Thanks, and best regards,
Peter Müller