The iptables-utils package is a fantastic piece of software. It allows me to manage remote firewalls with confidence. Recently, I had to set up a firewall for an ADSL-connected site, where they use the MASQUERADE target. They also want a few ports forwarded to specific hosts on the internal network. I want my ppp linkup script (/etc/ppp/ip-up in Gentoo Linux) to generate iptables.conf.var, adding a line like this: #define MY_ADDR 196.31.31.10 Then I want iptables-gen to regenerate the ruleset, given rules like this in iptables.conf.in: -A PREROUTING -p tcp \ -d MY_ADDR --dport 2222 -j DNAT --to-destination 10.0.0.2:22 -A POSTROUTING -p tcp \ -s 10.0.0.2 --sport 22 -j SNAT --to-source MY_ADDR:2222 However, the current implementation of iptables-gen (in iptables-utils-1.20) only substitutes defined variables that are immediately followed by whitespace of end of line. It doesn't substitute defined variables that are immediately followed by a colon (:). Therefore, I propose the attached patch to iptables-gen.in, which includes the colon (:) as a legal delimiter for defined variables. Ciao, Sheldon.