Well, probably it's just me doing something wrong.

I have following rules set up:
I then go sites like http://ping.eu/ping/ or http://www.grc.com/x/ne.dll?rh1dkyd2 (Gibson research port scan)
and send some traffic that will be dropped (since the websites respond my host does not answer to ping).

However, I can't see the IP of said sites show up in the log. Any idea what might cause this not to work?

best regards,
Jeroen

Alright , I've made some progress. I've determined what part of the config is causing my problem.

I wanted to set a game console as DMZ. The problem with this is, is that my WAN interface has a public IP. This IP is dynamic. So I could not specify a destination address for the dstnat chain:
I specified an interface instead. This resulted in the correct behaviour but unfortunately broke the firewall logging. I've now disabled the rules and this fixed logging. I'm still trying to figure out what all of this means.

That destination NAT rule forwards all new connections established from the WAN to your WAN interface to 192.168.0.5. It does that by changing the destination IP address from your public IP to 192.168.0.5. At that point the destination IP address is no longer an IP on a router interface, so that traffic is traffic through the router, and not to the router. Therefore the packet will be in the forward chain, and not in the input chain.

On a side note, I know SOHO routers call what you did DMZ. That's wrong, in proper networking terms a DMZ is a third network on your router that can access the Internet, but cannot access your LAN. What you did is a simple catch all traffic forward via NAT.

That destination NAT rule forwards all new connections established from the WAN to your WAN interface to 192.168.0.5. It does that by changing the destination IP address from your public IP to 192.168.0.5. At that point the destination IP address is no longer an IP on a router interface, so that traffic is traffic through the router, and not to the router. Therefore the packet will be in the forward chain, and not in the input chain.
.

Very clearly explained. Thank you.

On a side note, I know SOHO routers call what you did DMZ. That's wrong, in proper networking terms a DMZ is a third network on your router that can access the Internet, but cannot access your LAN. What you did is a simple catch all traffic forward via NAT.

[/quote]
I actally knew that one:).

How does a SOHO DMZ forward all possible ports to a single host and still allow other, specific, port forwards to other hosts.
Having a SOHO DMZ host (logically) excludes the possibility of adding any other port forward.
I'm assuming that any port forward to a host that is not the DMZ host, invokes some kind of script that removes the port from the range of ports that is forwarded to the DMZ host.

Anyway, I'm just straying from the subject here. Is it correct that a script changing the NAT rules is the only way of getting this ever changing dynamic IP updated in the NAT table?

NAT rules are processed in order. First make rules that forward specific ports to hosts, then have a rule like you already had but disabled that covers all traffic further below. If traffic comes in for a port that matches a specific rule higher up it gets forwarded to that host, all other traffic falls through to the catch all rule. There is no need for scripts.

in-interface=WAN works fine for your purposes. NAT rules are only ever executed on the first packet of a new connection. All subsequent packets of the connection simply have same action applied to them by merit of connection tracking.

That said, as far as I know - and I may be completely wrong here, while I do have an XBox 360 I don't play online - game consoles have well defined ports, and all games use the same ports, quite unlike PC games. You should be able to only forward the specific traffic required for that platform rather than forward all traffic. Alternatively you could turn on UPnP on the router's LAN interface and on the gaming platform, if it supports it. That way dynamic, specific destination NAT rules will be created. If those turn out to always be the same you could also convert them to static and turn UPnP back off.

I also think firewall logging in combination with drops is overrated. Unless you are actually planning on watching the logs for educational purposes or out of a network management business requirement, what good does logging do you if you're specifically going to drop all traffic that is going to log already? Outbound traffic from well protected systems with well defined traffic patterns are a different story, logging that traffic may let you discover infections/breaches. But the Internet at large is nothing you can do anything about, particularly on a home router.

I'm thinking UPnP is kind of risky. I briefly tried it and couldn'd be bothered to make it work.
You are correct about the XBOX 360 not needing a "full DMZ host", I could simply look up the specific ports it uses.

However, I've puzzled a script together that appears to be working. It's far from perfect as I'm not a gifted programmer. I've pieced it together from the wiki and tweaked it 'till it worked for me. As you can see I'm only changing 1 NAT rule but recoding that for serveral rules can't be hard:). Perhaps it is of use to someone in the future:)

Should I change something for the policy? I can't see what it has to do with the script really:s?

That will work. The policies have to do with what the script can do. Yours should run fine.

However, it really isn't necessary. A NAT rule based on in-interface will work just as well.