2. I'm still a bit confused on the logging of the destination address. With our one static IP, there are two possibilities. Either a packet is intended for our IP or for another. Yet, the logs will always show the destination address as the IP of the LAN interface. Any suggestions? I imagine you are talking about the fact that the only packets getting logged are those destined for the firewall machine itself. The reason for this is that before you reach the (PREROUTING?) INPUT or FORWARD chains, the IP layer analyses the packet to see if the packet is destined for this machine or not. If it isn't, then the packet is silently thrown away before reaching Netfilter. If you DO want to receive packets in a IP layer promiscuous manner, then you will have to set /proc/sys/net/ipv4/conf/*/rp_filter to 0. This disables the destination IP filtering.
