Hi Aldo, You shouldn't drop packets in the prerouting part, use the filtering part to do this. in the pre/post routing you should just try to keep things clean. So, no I don't find it bad to have the nat policy to accept - it is the filter policies I would be worried about :-) /Kim On Monday 24 March 2003 19:20, Aldo Lagana wrote: > by default I set the nat chains (PREROUTING POSTROUTING, etc) to ACCEPT. > first off is this bad? > > For my web & mail servers using DNAT, I need to add rules - and I do. Same > w/ SNAT rules... > > The problem has come up with our mail server - we were getting spam from > one IP address - since my DNAT rule was ACCEPT and forward, the mail server > kept getting these spam messages. I stopped the SPAM by adding a rule to > the beginning of PREROUTING to DROP packets from that address. > > This made me start thinking - am I doing it right by having all the nat > chains default ACCEPT? > > aldo
