A patch supplied by Daniel Tryba for Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507313)
"Entries get appended to the PREROUTING table, the problem is I have a catchall to create a DMZ. The result is that the upnp rules aren't reachable.
The solution is pretty simple with the following patch:
Using the "forward_rules_append" config option to determine if the PREROUTING rule should be inserted at the beginning (-I) or appended (-A) to the table.
Sure there is a security risk involved, but so does the prepending of FORWARD rules. Defining a seperate config option to determine the PREROUTING behavior would be a better solution, but this works fine for me (tm)."