Using iptables to log Emails?

pshankland · 03-13-2006, 05:19 AM

I have an iptables firewall between a WAN link and the LAN. I am currently getting a lot of SPAM coming through this link and was wondering if it was possible to use iptables to 'look' into the Emails and simply log some information like who the mail was to: and from: ??

I already log the amount of connections for TCP:25 but need something a bit more detailed without implementing a full SPAM filter.

Thanks.

Pete.

gilead · 03-13-2006, 10:31 PM

You can log stuff with iptables, but it won't easily give you the information you're looking for without also logging a lot of useless information. Do you have ethereal installed? The following will log all traffic on interface eth0 for port 25:

Code:

tethereal -p -i eth0 -f "tcp port 25"

This produced the following on my PC:

Code:

$ sudo tethereal -p -i eth0 -f "tcp port 25"
[Capturing on eth0
1   0.000000 10.224.78.111 -> 10.12.113.123 TCP 12105 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=3
2   0.004261 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [SYN, ACK] Seq=0 Ack=1 Win=6144 Len=0 MSS=1460 WS=0
3   0.004299 10.224.78.111 -> 10.12.113.123 TCP 12105 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0
4   0.073415 10.12.113.123 -> 10.224.78.111 SMTP Response: 220 mail.gateway.somedomain.com.au GroupWise Internet Agent 6.5.3  Copyright (c) 1993-2004 Novell, Inc.  All right
s reserved. Ready
5   0.073447 10.224.78.111 -> 10.12.113.123 TCP 12105 > smtp [ACK] Seq=1 Ack=133 Win=6912 Len=0
6   0.076405 10.224.78.111 -> 10.12.113.123 SMTP Command: EHLO eh10222.somedomain.com.au
7   0.076820 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [ACK] Seq=133 Ack=40 Win=7604 Len=0
8   0.076881 10.12.113.123 -> 10.224.78.111 SMTP Response: 250-mail.gateway.somedomain.com.au
9   0.078420 10.224.78.111 -> 10.12.113.123 SMTP Command: AUTH LOGIN
10   0.078829 10.12.113.123 -> 10.224.78.111 SMTP Response: 334 VXNlcm5hbWU6
11   0.079380 10.224.78.111 -> 10.12.113.123 SMTP Message Body
12   0.079805 10.12.113.123 -> 10.224.78.111 SMTP Response: 334 UGFzc3dvcmQ6
13   0.081017 10.224.78.111 -> 10.12.113.123 SMTP Message Body
14   0.107684 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [ACK] Seq=253 Ack=148 Win=7496 Len=0
15   0.191686 10.12.113.123 -> 10.224.78.111 SMTP Response: 235 Authentication successful
16   0.191916 10.224.78.111 -> 10.12.113.123 SMTP Command: MAIL From:<steve@eh10222.somedomain.com.au> SIZE=615
17   0.192986 10.12.113.123 -> 10.224.78.111 SMTP Response: 250 Ok
18   0.193493 10.224.78.111 -> 10.12.113.123 SMTP Command: RCPT To:<Santa@northpole.com>
19   0.195943 10.12.113.123 -> 10.224.78.111 SMTP Response: 250 Ok
20   0.196063 10.224.78.111 -> 10.12.113.123 SMTP Command: DATA
21   0.196573 10.12.113.123 -> 10.224.78.111 SMTP Response: 354 Enter mail, end with "." on a line by itself
22   0.197120 10.224.78.111 -> 10.12.113.123 SMTP Message Body
23   0.272458 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [ACK] Seq=350 Ack=858 Win=7604 Len=0
24   0.272474 10.224.78.111 -> 10.12.113.123 SMTP EOM: .
25   0.272909 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [ACK] Seq=350 Ack=861 Win=9064 Len=0
26   0.273335 10.12.113.123 -> 10.224.78.111 SMTP Response: 250 Ok
27   0.289141 10.224.78.111 -> 10.12.113.123 SMTP Command: QUIT
28   0.289601 10.12.113.123 -> 10.224.78.111 SMTP Response: 221 mail.gateway.somedomain.com.au Closing transmission channel
29   0.289621 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [FIN, PSH, ACK] Seq=422 Ack=867 Win=9058 Len=0
30   0.289884 10.224.78.111 -> 10.12.113.123 TCP 12105 > smtp [FIN, ACK] Seq=867 Ack=423 Win=6912 Len=0
31   0.290429 10.12.113.123 -> 10.224.78.111 TCP smtp > 12105 [ACK] Seq=423 Ack=868 Win=9057 Len=0

Even that is a lot of information. How much detail is your MTA logging? Here, sendmail gives me the following (in /var/log/maillog):

Code:

Mar 14 13:41:31 eh10222 sendmail[1554]: k2E3fVWh001554: from=root, size=379, class=0, nrcpts=1, msgid=<200603140341.k2E3fVWh001554@eh10222.somedomain.com.au>, relay=root@localhost
Mar 14 13:41:31 eh10222 sm-mta[1555]: k2E3fV9m001555: from=<root@eh10222.somedomain.com.au>, size=680, class=0, nrcpts=1, msgid=<200603140341.k2E3fVWh001554@eh10222.somedomain.com.au>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Mar 14 13:41:31 eh10222 sendmail[1554]: k2E3fVWh001554: to=testing@somedomain.com.au, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30379, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (k2E3fV9m001555 Message accepted for delivery)
Mar 14 13:41:31 eh10222 sm-mta[1557]: k2E3fV9m001555: to=<testing@somedomain.com.au>, ctladdr=<root@eh10222.somedomain.com.au> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=120680, relay=sf.mail.somedomain.com.au [10.12.113.123], dsn=2.0.0, stat=Sent (Ok)