NAT how to block spam
Hi I have a Centos 5.3 server and I'm running a big NAT with different subnets example
iptables -t nat -A POSTROUTING -s 192.168.28.0/28 -o eth0 -j SNAT --to 209.x.x.1 iptables -t nat -A POSTROUTING -s 192.168,28.16/28 -o eth0 -j SNAT --to 209.x.x.2 iptables -t nat -A POSTROUTING -s 192.168.28.32/28 -o eth0 -j SNAT --to 209.x.x.3 iptables -t nat -A POSTROUTING -s 192.168.28.48/28 -o eth0 -j SNAT --to 209.x.x.4 iptables -t nat -A POSTROUTING -s 192.168.28.64/28 -o eth0 -j SNAT --to 209.x.x.5 iptables -t nat -A POSTROUTING -s 192.168.28.80/28 -o eth0 -j SNAT --to 209.x.x.6 iptables -t nat -A POSTROUTING -s 192.168.28.96/28 -o eth0 -j SNAT --to 209.x.x.7 My problem is the spam from the 192.168.x.x, running tcpdump I can find the IP sending spam, all in different ports (can be trojan , virus, etc. ) I already run in my iptables Example iptables -A FORWARD -p TCP -s 192.168.25.50 --dport 25 -j DROP Sometimes stops but there are IP's that won't stop sending "it ignores the rule" so I tray to block the IP not only the port iptables -A FORWARD -p TCP -s 192.168.25.50 -j DROP but no luck. Is there a way that I can do this, please advise. thanks Jorge |
I'd check to make sure you didn't have another rule earlier in your iptables that was a accept for that ip, there shouldn't be any packet that ignores the rules.
|
No luck
I verify my iptables all of the are tha same I have no accept all drop
Chain FORWARD (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn DROP tcp -- 192.168.50.183 anywhere tcp dpt:smtp DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp DROP tcp -- 192.168.52.88 anywhere tcp dpt:smtp DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp DROP tcp -- 192.168.54.213 anywhere tcp dpt:smtp DROP tcp -- 192.168.62.196 anywhere tcp dpt:smtp DROP tcp -- 192.168.46.80 anywhere tcp dpt:smtp DROP tcp -- 192.168.54.107 anywhere tcp dpt:smtp DROP tcp -- 192.168.38.146 anywhere tcp dpt:smtp DROP tcp -- 192.168.34.45 anywhere tcp dpt:smtp DROP tcp -- 192.168.52.28 anywhere tcp dpt:smtp DROP tcp -- 192.168.46.133 anywhere tcp dpt:smtp DROP tcp -- 192.168.48.86 anywhere tcp dpt:smtp DROP tcp -- 192.168.46.53 anywhere tcp dpt:smtp DROP tcp -- 192.168.86.51 anywhere tcp dpt:smtp is there anything else I can do ? this is the tcpdump 14:46:01.533999 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 27 14:46:01.534050 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 23 14:46:01.679631 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 0 14:46:02.911500 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0 14:46:02.937010 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 6 14:46:02.937041 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0 14:46:03.056900 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0 14:46:04.720847 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0 14:46:04.996840 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0 14:46:05.928669 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0 14:46:06.328442 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0 14:46:07.093381 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0 14:46:07.636737 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0 14:46:07.760902 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0 14:46:07.836600 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0 14:46:09.246626 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0 14:46:10.050068 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0 14:46:10.756207 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0 14:46:11.861332 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0 14:46:12.655019 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0 14:46:13.715786 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0 14:46:13.891164 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0 14:46:15.279508 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0 14:46:15.715902 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0 14:46:16.086177 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0 14:46:16.787412 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0 Thanks Jorge |
maybe the forward chain isn't the place to put those drops, try them in the input chain instead
|
All times are GMT -5. The time now is 10:24 AM. |