On Monday 24 March 2003 01:20 pm, Aldo Lagana wrote: > by default I set the nat chains (PREROUTING POSTROUTING, etc) to > ACCEPT. first off is this bad? > > For my web & mail servers using DNAT, I need to add rules - and I do. > Same w/ SNAT rules... > > The problem has come up with our mail server - we were getting spam > from one IP address - since my DNAT rule was ACCEPT and forward, the > mail server kept getting these spam messages. I stopped the SPAM by > adding a rule to the beginning of PREROUTING to DROP packets from that > address. > > This made me start thinking - am I doing it right by having all the > nat chains default ACCEPT? > > aldo Yes. ACCEPT policy for nat and mangle chains. You should look to setting a DROP policy on FORWARD, though, and ACCEPT only the traffic you want to allow through there. For something like DROPping a specific IP, you should have those rules first in FORWARD, followed by the ACCEPT rules to let through classes of traffic. (IE, email connections to and from the mail server and ESTABLISHED & RELATED state connections) If you don't have anything in FORWARD right now, but an ACCEPT policy, you should definitely concentrate there. Start with rules to accept the traffic through that you really need, with a LOG rule at the end if the chain. This way everything will still work as it does now, and you can check the rules listing to see what rules are matching packets, and check the LOG to see what isn't matching any rule. (and write a rule to ACCEPT it if you need it) j
