@yinxiangyn my idea is still evolving :lol: I think that better way is add accept before rule 10 for tcp 80 port then in prerouting roules 10,11,12,13 will be the same pair of dst adres (and will be in the same mark) now 10,11,12,13 rules creates one group of dst adres pair and 14,15,16,17 creates a...