I changed the way iptables rules are created. Now they
are created in their own chain upnp-nat which should be
called from PREROUTING.
In the filter table new rules will be created in
upnp-allow to accept incoming data. This is supposed to
be called from FORWARD. That way a FORWARD policy of
DROP is still possible.
I think those changes will make it easier to use
linux-igd with existing firewall scripts. At least it
works for me ;)
I also created a sample startup script that creates the
neccessary chains and calls them at the appropriate
places. This should be integrated into the users
firewall script and needs to be there before upnpd starts.