Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc.
I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly.
After applying this rule, clients still can connect to any mail server on port 25 without any problem!
Client:
Code:
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Wed, 23 Jan 2013 14:0
6:40 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection
C:\nc>
To make sure the client traffic is passing through the configured linux router I did a trace route:
Code:
C:\nc>tracert mail.linuxquestions.org
Tracing route to smtp.linuxquestions.org [208.101.3.244]
over a maximum of 30 hops:
1 352 ms 350 ms 352 ms 10.8.0.1
2 348 ms 350 ms 350 ms node21.buyvm.net [205.185.xxx.xxx]
3 * 351 ms 352 ms 10.1.1.1
4 364 ms 354 ms 364 ms 10gigabitethernet3-2.core1.las1.he.net [64.62.24
9.89]
5 362 ms 369 ms 359 ms 10gigabitethernet3-2.core1.lax2.he.net [184.105.
222.161]
6 362 ms * 357 ms te2-6.bbr01.cs01.lax01.networklayer.com.any2ix.c
oresite.com [206.223.143.131]
7 485 ms * * ae19.bbr01.eq01.dal03.networklayer.com [173.192.
18.140]
8 433 ms 435 ms 432 ms ae0.dar02.sr01.dal01.networklayer.com [173.192.1
8.253]
9 * 417 ms 419 ms po2.fcr01.sr01.dal01.networklayer.com [66.228.11
8.158]
10 422 ms 425 ms 427 ms smtp.linuxquestions.org [208.101.3.244]
Trace complete.
Do you know what the problem is?
Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service.
Could you double check that eth0 is the Internet facing nic device?
Hi jschiwal,
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link.
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Fri, 1 Feb 2013 05:14
:39 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection
Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now.
This is the output for "iptables -nvL" on my OpenVZ VPS.
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed
Just curious to know are you running container or Virtual machine?
I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.
I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic.
Quote:
Originally Posted by KinnowGrower
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed
Just curious to know are you running container or Virtual machine?
Thank you. The server is a virtual machine. Blocking all ports by default and opening a few of them manually can be a good choice when the server is dedicated for a specific services like HTTP or SQL but I can do that on a router machine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.