I have set up this rule:

-A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 80 -j internet
-A internet -j MARK --set-xmark 0x63/0xffffffff

To capture incoming traffic on port 80 and send it to be marked. It works, but now I'd like to edit it to capture on all ports except 53(DNS), the DHCP service port and some others.
Further down my iptables, I have

-A PREROUTING -i vboxnet0 -p tcp -m mark --mark 0x63 -m tcp --dport 80 -j DNAT --to-destination 192.168.56.1

That captures all tcp traffic, that has the mark, and is destined for port 80, and DNAT it to the local IP. I'd like to edit this to also include all ports except 3(DNS), the DHCP service port and some others.

Some good pointers in lieu of a small explanation of the difference between the first -m and the second -m in both rulesets could also get me on the correct track.

Understanding Your Rules

The first step in understanding how your firewall rules work is, like in most things, to check the man page (man iptables). In the man page you will find:

-m, --match match

Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.

Near the bottom of the man page you'll also find:

MATCH AND TARGET EXTENSIONS

iptables can use extended packet matching and target modules. A list of these is available in the iptables-extensions(8) manpage.

So then the iptables-extensions man page will give you the specifics on what your -m options are really doing. A few small snippets from there:

mark

[!] --mark value[/mask]

...

tcp

[!] --destination-port,--dport port[:port]

...

DNAT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options:

--to-destination [ipaddr[-ipaddr]][:port[-port]]

...

MARK

This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.

--set-xmark value[/mask]

To put it simply, the -m options adds matching options to iptables. But the man page also lists some non-standard targets (including the DNAT that you're using.

What to Do

Now, putting all of this together I assume that the table you're working with is nat given it's the only one that works with DNAT target.

It also seems that marking the traffic is unnecessary. It's simply being marked so that you can nat the packet, but you can just nat the packet instead of tagging it to begin with.

For example:

-A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.56.1

You can specify multiple rules to cover multiple ports, but also specify port ranges using [port]:[port], or negative matches using !.

For example, to apply the rule to all ports except 53 (domain) and 22 (ssh) you could do the following:

-A PREROUTING -i vboxnet0 -p tcp -m tcp ! --dport 53 -j DNAT --to-destination 192.168.56.1
-A PREROUTING -i vboxnet0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination 192.168.56.1

It could get cumbersome if there's lots of ports you want to filter out, but such is life with iptables. I'd recommend checking /etc/services to get a list of port mappings so you can avoid impacting certain services/protocols.