Problems with logging outgoing SMTP connections

piotr.pawlowski · 10-27-2011, 08:16 AM

Dear all,

I would like to consult with you some iptables rule, which, in my opinion was sufficient for my needs, but it looks like I am making somewhere a mistake.

So I would like to log every outgoing SMTP connection from my server. What is more, I would like to log only those connections, which exceed 40 per minute limit. That is why I put following two lines into my iptables:

Code:

/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --set
/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "Out. SMTP con LIMIT: " --log-level 4

Unfortunately it doesn't work as I expected. I am testing it by performing following for loop from my server:

Code:

for i in {1..200} ; do echo "QUIT" | nc mailserver 25 ; done

Whole loop is finishing in around 30 seconds, so, in my opinion, there is more than 40 new outgoing SMTP connections from my server. Unfortunately, nothing is printed in log file.
BTW, I've changed syslog configuration file, so kern.warning logs are going to separate log file, so this is not an issue here.

Where I am making a mistake?
Thank you in advance for any constructive tip.

Regards
Piotr

unSpawn · 10-27-2011, 11:41 AM

"--set" goes after "--update", see http://www.snowman.net/projects/ipt_recent/.

piotr.pawlowski · 10-27-2011, 01:42 PM

Well, I've changed rules order and it still doesn't work. However, I've decreased hitcountvalue to 5 and it started to work correctly... I'm confused... hitcount=5 is not what I want to log...