Help me to apply a few iptables rules
Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc. I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly. The first rule is to block SMTP traffic. Server: Code:
root@GeneralVPS:~# iptables -L FORWARD Client: Code:
C:\nc>nc mail.linuxquestions.org 25 To make sure the client traffic is passing through the configured linux router I did a trace route: Code:
C:\nc>tracert mail.linuxquestions.org Do you know what the problem is? Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service. |
Could you double check that eth0 is the Internet facing nic device?
|
Quote:
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link. |
Hi, The problem seems to be in the placement of your iptables rules:
Quote:
Place your rule above the ACCEPT rule with the -I option, so the syntax would be: Code:
iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT |
Quote:
If the eth0 is internet facing NIC then I think the correct rule would be Quote:
thanks |
Quote:
Quote:
|
Thank you guys,
tried with both -i and -o options, but clients can still connect to remote SMTP servers. :confused: Server: Code:
root@GeneralVPS:~# iptables -L FORWARD Client: Code:
C:\nc>nc mail.linuxquestions.org 25 |
Plz post the output of: iptables -nvL
|
Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now. This is the output for "iptables -nvL" on my OpenVZ VPS. Code:
root@GeneralVPS:~# iptables -nvL It would be great if I can do this on OpenVZ either. Thank You. |
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Quote:
Just curious to know are you running container or Virtual machine? |
I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.
I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic. Quote:
|
All times are GMT -5. The time now is 08:05 AM. |