LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   NAT how to block spam (https://www.linuxquestions.org/questions/linux-networking-3/nat-how-to-block-spam-753349/)

jarias 09-07-2009 11:38 AM
NAT how to block spam
 
Hi I have a Centos 5.3 server and I'm running a big NAT with different subnets example

iptables -t nat -A POSTROUTING -s 192.168.28.0/28 -o eth0 -j SNAT --to 209.x.x.1
iptables -t nat -A POSTROUTING -s 192.168,28.16/28 -o eth0 -j SNAT --to 209.x.x.2
iptables -t nat -A POSTROUTING -s 192.168.28.32/28 -o eth0 -j SNAT --to 209.x.x.3
iptables -t nat -A POSTROUTING -s 192.168.28.48/28 -o eth0 -j SNAT --to 209.x.x.4
iptables -t nat -A POSTROUTING -s 192.168.28.64/28 -o eth0 -j SNAT --to 209.x.x.5
iptables -t nat -A POSTROUTING -s 192.168.28.80/28 -o eth0 -j SNAT --to 209.x.x.6
iptables -t nat -A POSTROUTING -s 192.168.28.96/28 -o eth0 -j SNAT --to 209.x.x.7


My problem is the spam from the 192.168.x.x, running tcpdump I can find the IP sending spam, all in different ports (can be trojan , virus, etc. )


I already run in my iptables

Example

iptables -A FORWARD -p TCP -s 192.168.25.50 --dport 25 -j DROP

Sometimes stops but there are IP's that won't stop sending "it ignores the rule" so I tray to block the IP not only the port

iptables -A FORWARD -p TCP -s 192.168.25.50 -j DROP

but no luck.

Is there a way that I can do this, please advise.
thanks

Jorge

estabroo 09-07-2009 01:30 PM
I'd check to make sure you didn't have another rule earlier in your iptables that was a accept for that ip, there shouldn't be any packet that ignores the rules.

jarias 09-07-2009 03:59 PM
No luck
 
I verify my iptables all of the are tha same I have no accept all drop


Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- 192.168.50.183 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.88 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.213 anywhere tcp dpt:smtp
DROP tcp -- 192.168.62.196 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.80 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.107 anywhere tcp dpt:smtp
DROP tcp -- 192.168.38.146 anywhere tcp dpt:smtp
DROP tcp -- 192.168.34.45 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.28 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.133 anywhere tcp dpt:smtp
DROP tcp -- 192.168.48.86 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.53 anywhere tcp dpt:smtp
DROP tcp -- 192.168.86.51 anywhere tcp dpt:smtp

is there anything else I can do ?

this is the tcpdump

14:46:01.533999 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 27
14:46:01.534050 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 23
14:46:01.679631 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 0
14:46:02.911500 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:02.937010 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 6
14:46:02.937041 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:03.056900 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:04.720847 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:04.996840 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:05.928669 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:06.328442 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:07.093381 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:07.636737 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:07.760902 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:07.836600 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:09.246626 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:10.050068 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:10.756207 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:11.861332 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:12.655019 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:13.715786 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:13.891164 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:15.279508 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:15.715902 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:16.086177 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:16.787412 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0

Thanks


Jorge

estabroo 09-07-2009 11:09 PM
maybe the forward chain isn't the place to put those drops, try them in the input chain instead


All times are GMT -5. The time now is 10:24 AM.