Sridhar Cherukuri
asked on
IPTABLES Confguration
I have replaced my router with Linux Box and using it as a router through iptables i have a mail server where the routing is from Linux box
My IPTABLES are as below
iptables -t nat -A POSTROUTING -s 0/0 -d 0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.4.103:110
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.4.101:3389
Everything is working fine but too much spam is going out from my network to unknow domains but i can see the ip adress of those domain which are like 168.95.5.x
i tried to block that ip adress in the linux box both inward and outward as below
iptables -I INPUT -s 168.95.5.1/24 -j DROP
iptables -I INPUT -d 168.95.5.1/24 -j DROP
But it is not working i can still see the spam going out from my network to the above ips as well as incoming also. Can you please suggest the best way to get rid of this problem.
My IPTABLES are as below
iptables -t nat -A POSTROUTING -s 0/0 -d 0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.4.103:110
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.4.101:3389
Everything is working fine but too much spam is going out from my network to unknow domains but i can see the ip adress of those domain which are like 168.95.5.x
i tried to block that ip adress in the linux box both inward and outward as below
iptables -I INPUT -s 168.95.5.1/24 -j DROP
iptables -I INPUT -d 168.95.5.1/24 -j DROP
But it is not working i can still see the spam going out from my network to the above ips as well as incoming also. Can you please suggest the best way to get rid of this problem.
ASKER
Sorry the last rule read it as OUTPUT
iptables -I OUTPUT -d 168.95.5.1/24 -j DROP
iptables -I OUTPUT -d 168.95.5.1/24 -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP
and if you have an internal SMTP server and you do not want any smtp traffic to leave your network except from your smtp server
iptables -I FORWARD --source mailserverIP -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp --dport 25 -j DROP
and if you have an internal SMTP server and you do not want any smtp traffic to leave your network except from your smtp server
iptables -I FORWARD --source mailserverIP -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp --dport 25 -j DROP
OUTPUT can only be used for traffic generated on your Linux server..you have to use the FORWARD chain for traffic generated on your network and forwarded through your server
hi, you may want to have these rules :
iptables -I FORWARD -s <SpamSourceIP> -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP
regards,
ilker
iptables -I FORWARD -s <SpamSourceIP> -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP
regards,
ilker
Adding this rule
iptables -I FORWARD -s <SpamSourceIP> -j DROP will block internet access for the spamsource IP
iptables -I FORWARD -s <SpamSourceIP> -j DROP will block internet access for the spamsource IP
I would rather say do the following
iptables -I FORWARD -s yournetwork -p tcp --dport 25 -j LOG
and then
tail -f /var/log/syslog and monitor the address that is sending spam and fix that too
iptables -I FORWARD -s yournetwork -p tcp --dport 25 -j LOG
and then
tail -f /var/log/syslog and monitor the address that is sending spam and fix that too
ASKER
Thanks Shakoush, i will do that. Basically my problem is the moment i use the linux box i am getting too mush spam incoming as well as out going.
As you suggested for out going i will do that i will forward the rule and i will find out which computer in the network is sending the spam out and fix them. I will work arounf on monday and will post the results here.
Once again thanks a lot
As you suggested for out going i will do that i will forward the rule and i will find out which computer in the network is sending the spam out and fix them. I will work arounf on monday and will post the results here.
Once again thanks a lot
ASKER
Hi i have implemented your suggestion and tried to block the spam sources but not succeeded, infact i have formatted all the computers in the network and secured with the proper AV etc etc. but still spam incoming and outgoing is not controlled. But when i connect back to my D-Link router then everything is fine. What mistake i am doing here?
Well it appears to me that your linux server's email server is being exploited try
iptables -I OUTPUT -p tcp --dport 25 -j DROP
iptables -I INPUT -p tcp --dport 25 -j DROP
And see if that stops spam, if so change the configuration file of your smtp server to only listen to your internal interface. And you could also change it's settings so that it relays only for your local network..however that depends on which smtp server you are using.
iptables -I OUTPUT -p tcp --dport 25 -j DROP
iptables -I INPUT -p tcp --dport 25 -j DROP
And see if that stops spam, if so change the configuration file of your smtp server to only listen to your internal interface. And you could also change it's settings so that it relays only for your local network..however that depends on which smtp server you are using.
ASKER
Shakoush, My mailserver is exchange server with mail marshal also. what i am doing is i am simply forwarding the requests of port 25,110 to my mail server ip is (192.168.4.103) from the linux box
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.4.103:110
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.4.103:110
Allright then please use the link below to check if your Exchange server is open for relay and if it is you have to fix that ...this will stop your email server being exploited. I had the same problem and fixed it using the link below
http://www.amset.info/exchange/spam-cleanup.asp
http://www.amset.info/exchange/spam-cleanup.asp
ASKER
If the open relay is removed then the local users should also reach my email server through internet right?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER