Is there a way that I can test whether or not a given packet will succeed through the forward chain, without actually passing the packet through? Here's why I ask, and maybe you can help.
The application, the upnp server, adds a portmapping in the prerouting chain and may possibly need to put an ACCEPT statement in the FORWARD chain if they have a default policy of DROP or REJECT. They may not even have that, but they may have some other rules that do not allow it to pass through the forward chain. So what I'm looking at then, is it ok for me to just always insert requested portmapping at rule 0? If they are always at the top, then nothing else in the chain should be able to block them. Now I know people are going to say "that's insecure as hell, and that's bypasing the sys admins' rules", but no, the sysadmin is the one setting it up!. I want to absolutely guarantee that the packet is going to get through without having to deal with any other rules they may have in their PREROUTING or FORWARD chains. I mean, the rules I am going to add are and ip/port to an ip/port, which can only be done if the config file for the UPnP server allows those ip/port combinations in the first place. Would it even be to my advantage to try to insert the rules anywhere else other than the top? If so, I'd need to be able to test where I'm placing the rule to make sure it is going to succeeed. I think this would be a useful feature for automated tools too, so they could cut down on their rules logic. Any ideas?
