|
by default I set the nat chains (PREROUTING
POSTROUTING, etc) to ACCEPT. first off is this bad?
For my web & mail servers using DNAT, I need to
add rules - and I do. Same w/ SNAT rules...
The problem has come up with our mail server - we
were getting spam from one IP address - since my DNAT rule was ACCEPT and
forward, the mail server kept getting these spam messages. I stopped the
SPAM by adding a rule to the beginning of PREROUTING to DROP packets from that
address.
This made me start thinking - am I doing it right
by having all the nat chains default ACCEPT?
aldo
|
