iptables port 25 connection limit without blocking Barracudas/Smart_Phones
 

I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.

Presently for port 25

RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com

Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll?

I was thinking if I allowed the Barracuda(s) in these lines

-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT

Where the source would be the Barracuda going to the email server.

It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic.

Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.

I am at a loss, any help would be great.

How about doing per-IP limits by means of the recent match module?

There should be several examples of that here in LQSEC.

Can you list the section it is located in.

I have set the server to deny the connection to port 443 for webmail,

I could have done this with another iptables (firewall) but I used the -I (insert) command and placed in the 'INPUT'.

iptables -I RH-Firewall-1-INPUT (line-number) -s 170.51.0.0/255.255.0.0 -d 199.xx.xx.xx -p tcp -m tcp --dport 443 -j DROP

This will deny access to webmail without impacting legitimate traffic to the server.

I am still working on blocking for example 170.51.0.0/16 to port 25 but allow the email server to send to an email server in this
range if needed. The Barracuda(s) will allow an email address through the mail exchanger with the IP range blocked.

The trick is how to setup iptables to allow the email outbound and connect to the email server?

If the 170.51.0.0/16 is set to drop on INPUT then no email can be sent from the server since it will fail connecting to it.

Still working on it, I know there has to be a way to do it. I have been testing today but will pick up tomorrow.

thanks
:)

Does anyone know if you can drop traffic from a malicious IP range and yet allow an outgoing connection to the range if an smtp server is in
that domain?

Would tcp_wrappers work?

Not sure how you have that set up, but if you have a clustered pair of 800's in inbound mode, can't you just use their own rate control and IP blocking features to do the heavy lifting for you? After all Barracuda do advertise them as protecting against DoS.