LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page NAT how to block spam
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-07-2009, 11:38 AM   #1
jarias
LQ Newbie
 
Registered: May 2009
Posts: 12

Rep: Reputation: 0
NAT how to block spam

Hi I have a Centos 5.3 server and I'm running a big NAT with different subnets example

iptables -t nat -A POSTROUTING -s 192.168.28.0/28 -o eth0 -j SNAT --to 209.x.x.1
iptables -t nat -A POSTROUTING -s 192.168,28.16/28 -o eth0 -j SNAT --to 209.x.x.2
iptables -t nat -A POSTROUTING -s 192.168.28.32/28 -o eth0 -j SNAT --to 209.x.x.3
iptables -t nat -A POSTROUTING -s 192.168.28.48/28 -o eth0 -j SNAT --to 209.x.x.4
iptables -t nat -A POSTROUTING -s 192.168.28.64/28 -o eth0 -j SNAT --to 209.x.x.5
iptables -t nat -A POSTROUTING -s 192.168.28.80/28 -o eth0 -j SNAT --to 209.x.x.6
iptables -t nat -A POSTROUTING -s 192.168.28.96/28 -o eth0 -j SNAT --to 209.x.x.7


My problem is the spam from the 192.168.x.x, running tcpdump I can find the IP sending spam, all in different ports (can be trojan , virus, etc. )


I already run in my iptables

Example

iptables -A FORWARD -p TCP -s 192.168.25.50 --dport 25 -j DROP

Sometimes stops but there are IP's that won't stop sending "it ignores the rule" so I tray to block the IP not only the port

iptables -A FORWARD -p TCP -s 192.168.25.50 -j DROP

but no luck.

Is there a way that I can do this, please advise.
thanks

Jorge
 
Old 09-07-2009, 01:30 PM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,126
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
I'd check to make sure you didn't have another rule earlier in your iptables that was a accept for that ip, there shouldn't be any packet that ignores the rules.
 
Old 09-07-2009, 03:59 PM   #3
jarias
LQ Newbie
 
Registered: May 2009
Posts: 12

Original Poster
Rep: Reputation: 0
No luck
I verify my iptables all of the are tha same I have no accept all drop


Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- 192.168.50.183 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.88 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.213 anywhere tcp dpt:smtp
DROP tcp -- 192.168.62.196 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.80 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.107 anywhere tcp dpt:smtp
DROP tcp -- 192.168.38.146 anywhere tcp dpt:smtp
DROP tcp -- 192.168.34.45 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.28 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.133 anywhere tcp dpt:smtp
DROP tcp -- 192.168.48.86 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.53 anywhere tcp dpt:smtp
DROP tcp -- 192.168.86.51 anywhere tcp dpt:smtp

is there anything else I can do ?

this is the tcpdump

14:46:01.533999 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 27
14:46:01.534050 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 23
14:46:01.679631 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 0
14:46:02.911500 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:02.937010 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 6
14:46:02.937041 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:03.056900 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:04.720847 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:04.996840 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:05.928669 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:06.328442 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:07.093381 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:07.636737 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:07.760902 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:07.836600 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:09.246626 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:10.050068 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:10.756207 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:11.861332 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:12.655019 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:13.715786 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:13.891164 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:15.279508 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:15.715902 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:16.086177 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:16.787412 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0

Thanks


Jorge
 
Old 09-07-2009, 11:09 PM   #4
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,126
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
maybe the forward chain isn't the place to put those drops, try them in the input chain instead
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
spam filter that puts spam into spam folder? paul_mat Linux - Software 3 03-31-2009 04:18 AM
Can Pidgin Block Spam Bots? BillyGalbreath Linux - Software 3 11-10-2007 05:34 PM
Spam Server Tips - Block Spam With Iptables tbeehler Linux - Software 2 08-24-2007 10:54 AM
LXer: How To Block Spam Before It Enters The Server (Postfix) LXer Syndicated Linux News 0 06-06-2007 05:31 PM
what's a quick and dirty way to block spam finegan Linux - General 1 12-03-2001 12:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:59 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration