Link to home
Create AccountLog in
Avatar of Sridhar Cherukuri
Sridhar CherukuriFlag for Tanzania, United Republic of

asked on

IPTABLES Confguration

I have replaced my router with Linux Box and using it as a router through iptables i have a mail server where the routing is from Linux box

My IPTABLES are as below

iptables -t nat -A POSTROUTING -s 0/0 -d 0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25  -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110  -j DNAT --to-destination 192.168.4.103:110
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 3389  -j DNAT --to-destination 192.168.4.101:3389

Everything is working fine but too much spam is going out from my network to unknow domains but i can see the ip adress of those domain which are like 168.95.5.x
i tried to block that ip adress in the linux box both inward and outward as below

iptables -I INPUT -s 168.95.5.1/24 -j DROP
iptables -I INPUT -d 168.95.5.1/24 -j DROP

But it is not working i can still see the spam going out from my network to the above ips as well as incoming also. Can you please suggest the best way to get rid of this problem.


Avatar of Sridhar Cherukuri
Sridhar Cherukuri
Flag of Tanzania, United Republic of image

ASKER

I have two NIC on Linux eth0 is public IP and eth1 is private IP
Sorry the last rule read it as OUTPUT

iptables -I OUTPUT -d 168.95.5.1/24 -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP

and if you have an internal SMTP server and you do not want any smtp traffic to leave your network except from your smtp server

iptables -I FORWARD --source mailserverIP -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp --dport 25 -j DROP
OUTPUT can only be used for traffic generated on your Linux server..you have to use the FORWARD chain for traffic generated on your network and forwarded through your server
Avatar of ilkerduran
ilkerduran

hi, you may want to have these rules :

iptables -I FORWARD -s <SpamSourceIP> -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP

regards,
ilker
Adding this rule

iptables -I FORWARD -s <SpamSourceIP> -j DROP will block internet access for the spamsource IP
I would rather say do the following

iptables -I FORWARD -s yournetwork -p tcp --dport 25 -j LOG

and then

tail -f /var/log/syslog and monitor the address that is sending spam and fix that too
Thanks Shakoush, i will do that. Basically my problem is the moment i use the linux box i am getting too mush spam incoming as well as out going.

As you suggested for out going i will do that i will forward the rule and i will find out which computer in the network is sending the spam out and fix them. I will work arounf on monday and will post the results here.

Once again thanks a lot
Hi i have implemented your suggestion and tried to block the spam sources but not succeeded, infact i have formatted all the computers in the network and secured with the proper AV etc etc. but still spam incoming and outgoing is not controlled. But when i connect back to my D-Link router then everything is fine. What mistake i am doing here?
Well it appears to me that your linux server's email server is being exploited try

iptables -I OUTPUT  -p tcp --dport 25 -j DROP
iptables -I INPUT  -p tcp --dport 25 -j DROP

And see if that stops spam, if so change the configuration file of your smtp server to only listen to your internal interface. And you could also change it's settings so that it relays only for your local network..however that depends on which smtp server you are using.
Shakoush, My mailserver is exchange server with mail marshal also.  what i am doing is i am simply forwarding the requests of port 25,110 to my mail server ip is (192.168.4.103) from the linux box

iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25  -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110  -j DNAT --to-destination 192.168.4.103:110
Allright then please use the link below to check if your Exchange server is open for relay and if it is you have to fix that ...this will stop your email server being exploited. I had the same problem and fixed it using the link below

http://www.amset.info/exchange/spam-cleanup.asp
If the open relay is removed then the local users should also reach my email server through internet right?
ASKER CERTIFIED SOLUTION
Avatar of http:// thevpn.guru
http:// thevpn.guru
Flag of Denmark image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer