Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
09-07-2009, 11:38 AM
#1
LQ Newbie
Registered: May 2009
Posts: 12
Rep:
NAT how to block spam
Hi I have a Centos 5.3 server and I'm running a big NAT with different subnets example
iptables -t nat -A POSTROUTING -s 192.168.28.0/28 -o eth0 -j SNAT --to 209.x.x.1
iptables -t nat -A POSTROUTING -s 192.168,28.16/28 -o eth0 -j SNAT --to 209.x.x.2
iptables -t nat -A POSTROUTING -s 192.168.28.32/28 -o eth0 -j SNAT --to 209.x.x.3
iptables -t nat -A POSTROUTING -s 192.168.28.48/28 -o eth0 -j SNAT --to 209.x.x.4
iptables -t nat -A POSTROUTING -s 192.168.28.64/28 -o eth0 -j SNAT --to 209.x.x.5
iptables -t nat -A POSTROUTING -s 192.168.28.80/28 -o eth0 -j SNAT --to 209.x.x.6
iptables -t nat -A POSTROUTING -s 192.168.28.96/28 -o eth0 -j SNAT --to 209.x.x.7
My problem is the spam from the 192.168.x.x, running tcpdump I can find the IP sending spam, all in different ports (can be trojan , virus, etc. )
I already run in my iptables
Example
iptables -A FORWARD -p TCP -s 192.168.25.50 --dport 25 -j DROP
Sometimes stops but there are IP's that won't stop sending "it ignores the rule" so I tray to block the IP not only the port
iptables -A FORWARD -p TCP -s 192.168.25.50 -j DROP
but no luck.
Is there a way that I can do this, please advise.
thanks
Jorge
09-07-2009, 01:30 PM
#2
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,126
Rep:
I'd check to make sure you didn't have another rule earlier in your iptables that was a accept for that ip, there shouldn't be any packet that ignores the rules.
09-07-2009, 03:59 PM
#3
LQ Newbie
Registered: May 2009
Posts: 12
Original Poster
Rep:
No luck
I verify my iptables all of the are tha same I have no accept all drop
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- 192.168.50.183 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.88 anywhere tcp dpt:smtp
DROP tcp -- 192.168.60.27 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.213 anywhere tcp dpt:smtp
DROP tcp -- 192.168.62.196 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.80 anywhere tcp dpt:smtp
DROP tcp -- 192.168.54.107 anywhere tcp dpt:smtp
DROP tcp -- 192.168.38.146 anywhere tcp dpt:smtp
DROP tcp -- 192.168.34.45 anywhere tcp dpt:smtp
DROP tcp -- 192.168.52.28 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.133 anywhere tcp dpt:smtp
DROP tcp -- 192.168.48.86 anywhere tcp dpt:smtp
DROP tcp -- 192.168.46.53 anywhere tcp dpt:smtp
DROP tcp -- 192.168.86.51 anywhere tcp dpt:smtp
is there anything else I can do ?
this is the tcpdump
14:46:01.533999 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 27
14:46:01.534050 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 23
14:46:01.679631 IP 192.168.48.86.51799 > 72.14.247.109.smtp: tcp 0
14:46:02.911500 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:02.937010 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 6
14:46:02.937041 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:03.056900 IP 192.168.48.101.49592 > 216.246.45.93.smtp: tcp 0
14:46:04.720847 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:04.996840 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:05.928669 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:06.328442 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:07.093381 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:07.636737 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:07.760902 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:07.836600 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:09.246626 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:10.050068 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:10.756207 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
14:46:11.861332 IP 192.168.46.53.bullant-srap > 92.51.139.26.smtp: tcp 0
14:46:12.655019 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:13.715786 IP 192.168.46.53.idp-infotrieve > 213.148.129.20.smtp: tcp 0
14:46:13.891164 IP 192.168.46.53.netclip > 213.251.187.187.smtp: tcp 0
14:46:15.279508 IP 192.168.46.53.cns-srv-port > 210.239.139.167.smtp: tcp 0
14:46:15.715902 IP 192.168.62.52.proofd > 209.85.210.7.smtp: tcp 0
14:46:16.086177 IP 192.168.46.53.identify > 216.143.120.140.smtp: tcp 0
14:46:16.787412 IP 192.168.46.53.zarkov > 216.143.120.140.smtp: tcp 0
Thanks
Jorge
09-07-2009, 11:09 PM
#4
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,126
Rep:
maybe the forward chain isn't the place to put those drops, try them in the input chain instead
All times are GMT -5. The time now is 01:59 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News