Help me to apply a few iptables rules
 

Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc.

I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly.

The first rule is to block SMTP traffic.

Server:
After applying this rule, clients still can connect to any mail server on port 25 without any problem!

Client:

To make sure the client traffic is passing through the configured linux router I did a trace route:


Do you know what the problem is?


Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service.

Could you double check that eth0 is the Internet facing nic device?

Hi jschiwal,
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link.

Hi, The problem seems to be in the placement of your iptables rules:

iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.

Place your rule above the ACCEPT rule with the -I option, so the syntax would be:

If the eth0 is internet facing NIC then I think the correct rule would be
Please try and let us know

thanks

Ideally this would be right, but since the server has only 1 NIC it wouldn't matter.

Thank you guys,
tried with both -i and -o options, but clients can still connect to remote SMTP servers. :confused:

Server:

Client:

Plz post the output of: iptables -nvL

Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now.

This is the output for "iptables -nvL" on my OpenVZ VPS.


It would be great if I can do this on OpenVZ either.
Thank You.

On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed


Just curious to know are you running container or Virtual machine?

I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.

I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic.


Thank you. The server is a virtual machine. Blocking all ports by default and opening a few of them manually can be a good choice when the server is dedicated for a specific services like HTTP or SQL but I can do that on a router machine.