I'm a bit of a nitwit and could use some pointers from more experienced hands. We changed routers recently and with it the processes. The objectives remain the same: 1. To protect the server (running Apache, Postfix and Vftp). 2. To provide DShield reporting. 3. To get reliable data so that, from time to time, we can contact ISPs when things get out of hand. The setup is simple and does not use the router's NAT. I am using only the NAT IPtable. HTTP, SMTP, FTP and Pop3 get port forwarded. Anything that doesn't get port forwarded is presumed to be intrusive and gets logged and dropped. So far so good. Questions: 1. Does this approach make sense? 2. I'm getting the LAN address in the logs rather than the intended destination IP. Is there some way to preserve the original data? 3. Is anyone aware of a decent log analyzer that will also provide host resolution? 4. I would rather use the FILTER table for the refused connections to reject rather than drop. I'm sure that it's simple but I just don't get it. This would depend upon the filter table rules following the NAT table rules. Where is this order established? Thanks.
Attachment:
signature.asc
Description: This is a digitally signed message part
