--On Friday, December 29, 2017 3:27 PM +0100 Gianluca Cecchi <gianluca.cecchi at gmail.com> wrote: > The "iptables like" rule will be added into the pre-built chain named > FORWARD_direct > The 0 above means it is put at top of FORWARD_direct chain. In your > example appears "3" and it is not clear what are lines 1 and 2. Thanks. That looks right. The "3" was for putting it in the main FORWARD chain before the call the FORWARD_direct. (A quick and dirty hack just to test if that was the rule I needed to make the VPN work.) "0" would be the correct argument for putting it as the first rule in the FORWARD_direct subchain.