• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 926
  • Last Modified:

IPTABLES Confguration

I have replaced my router with Linux Box and using it as a router through iptables i have a mail server where the routing is from Linux box

My IPTABLES are as below

iptables -t nat -A POSTROUTING -s 0/0 -d 0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25  -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110  -j DNAT --to-destination 192.168.4.103:110
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 3389  -j DNAT --to-destination 192.168.4.101:3389

Everything is working fine but too much spam is going out from my network to unknow domains but i can see the ip adress of those domain which are like 168.95.5.x
i tried to block that ip adress in the linux box both inward and outward as below

iptables -I INPUT -s 168.95.5.1/24 -j DROP
iptables -I INPUT -d 168.95.5.1/24 -j DROP

But it is not working i can still see the spam going out from my network to the above ips as well as incoming also. Can you please suggest the best way to get rid of this problem.


0
Cherukuri30
Asked:
Cherukuri30
  • 7
  • 6
1 Solution
 
Cherukuri30Author Commented:
I have two NIC on Linux eth0 is public IP and eth1 is private IP
0
 
Cherukuri30Author Commented:
Sorry the last rule read it as OUTPUT

iptables -I OUTPUT -d 168.95.5.1/24 -j DROP
0
 
http:// thevpn.guruCommented:
iptables -I FORWARD -d 168.95.5.1/24 -j DROP

and if you have an internal SMTP server and you do not want any smtp traffic to leave your network except from your smtp server

iptables -I FORWARD --source mailserverIP -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp --dport 25 -j DROP
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
http:// thevpn.guruCommented:
OUTPUT can only be used for traffic generated on your Linux server..you have to use the FORWARD chain for traffic generated on your network and forwarded through your server
0
 
ilkerduranCommented:
hi, you may want to have these rules :

iptables -I FORWARD -s <SpamSourceIP> -j DROP
iptables -I FORWARD -d 168.95.5.1/24 -j DROP

regards,
ilker
0
 
http:// thevpn.guruCommented:
Adding this rule

iptables -I FORWARD -s <SpamSourceIP> -j DROP will block internet access for the spamsource IP
0
 
http:// thevpn.guruCommented:
I would rather say do the following

iptables -I FORWARD -s yournetwork -p tcp --dport 25 -j LOG

and then

tail -f /var/log/syslog and monitor the address that is sending spam and fix that too
0
 
Cherukuri30Author Commented:
Thanks Shakoush, i will do that. Basically my problem is the moment i use the linux box i am getting too mush spam incoming as well as out going.

As you suggested for out going i will do that i will forward the rule and i will find out which computer in the network is sending the spam out and fix them. I will work arounf on monday and will post the results here.

Once again thanks a lot
0
 
Cherukuri30Author Commented:
Hi i have implemented your suggestion and tried to block the spam sources but not succeeded, infact i have formatted all the computers in the network and secured with the proper AV etc etc. but still spam incoming and outgoing is not controlled. But when i connect back to my D-Link router then everything is fine. What mistake i am doing here?
0
 
http:// thevpn.guruCommented:
Well it appears to me that your linux server's email server is being exploited try

iptables -I OUTPUT  -p tcp --dport 25 -j DROP
iptables -I INPUT  -p tcp --dport 25 -j DROP

And see if that stops spam, if so change the configuration file of your smtp server to only listen to your internal interface. And you could also change it's settings so that it relays only for your local network..however that depends on which smtp server you are using.
0
 
Cherukuri30Author Commented:
Shakoush, My mailserver is exchange server with mail marshal also.  what i am doing is i am simply forwarding the requests of port 25,110 to my mail server ip is (192.168.4.103) from the linux box

iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 25  -j DNAT --to-destination 192.168.4.103:25
iptables -t nat -A PREROUTING -d 196.41.37.34 -p tcp -m tcp --dport 110  -j DNAT --to-destination 192.168.4.103:110
0
 
http:// thevpn.guruCommented:
Allright then please use the link below to check if your Exchange server is open for relay and if it is you have to fix that ...this will stop your email server being exploited. I had the same problem and fixed it using the link below

http://www.amset.info/exchange/spam-cleanup.asp
0
 
Cherukuri30Author Commented:
If the open relay is removed then the local users should also reach my email server through internet right?
0
 
http:// thevpn.guruCommented:
Well open relay is a bad idea anyhow, but yes local users will be able to reach the email server through the internet but they will need to to some basic authentication first.
If you use VPN and the users first create a VPN tunnel before checking their emails, then nothing will change I guess. If you do not use a VPN tunnel enable some basic authenication so that the users have to provide their username and password (Outlook will provide those)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now