Hi, I wan’t to add iptables rules between existing rules and the rules created by libvirt (forward type=nat). I did try the hook /etc/libvirt/hooks/network network_name start begin - and /etc/libvirt/hooks/network network_name started begin - It seems like the libvirt iptables rules are already inserted when this hook is executed. Simply use –I instead of –A does not work either because the rules should be inserted between the existing one and the libvirt rules. Also the custom rules should be deleted after the hoook /etc/libvirt/hooks/network network_name stopped end - is executed. Does a hook exists which is executed after the network is started but before the libvirt rules are inserted? Is it possible the use a custom chain for the libvirt iptables rules instead of directly writing them into the INPUT chain? I think of some thing like INPUT VIRT_VIBR0 all -- * virbr0 0.0.0.0/0 0.0.0.0/0 VIRT_VIBR0 all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 and VIRT_VIBR0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable thanks & regards dieter