Dear all,
I would like to consult with you some iptables rule, which, in my opinion was sufficient for my needs, but it looks like I am making somewhere a mistake.
So I would like to log every outgoing SMTP connection from my server. What is more, I would like to log only those connections, which exceed 40 per minute limit. That is why I put following two lines into my iptables:
Code:
/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --set
/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "Out. SMTP con LIMIT: " --log-level 4
Unfortunately it doesn't work as I expected. I am testing it by performing following for loop from my server:
Code:
for i in {1..200} ; do echo "QUIT" | nc mailserver 25 ; done
Whole loop is finishing in around 30 seconds, so, in my opinion, there is more than 40 new outgoing SMTP connections from my server. Unfortunately, nothing is printed in log file.
BTW, I've changed syslog configuration file, so kern.warning logs are going to separate log file, so this is not an issue here.
Where I am making a mistake?
Thank you in advance for any constructive tip.
Regards
Piotr