LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2011, 11:20 AM   #1
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
iptables port 25 connection limit without blocking Barracudas/Smart_Phones


I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.

Presently for port 25

RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com

Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll?

I was thinking if I allowed the Barracuda(s) in these lines

-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT

Where the source would be the Barracuda going to the email server.

It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic.

Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.

I am at a loss, any help would be great.

Last edited by rhbegin; 01-11-2011 at 11:25 AM.
 
Old 01-11-2011, 01:21 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
How about doing per-IP limits by means of the recent match module?

There should be several examples of that here in LQSEC.
 
Old 01-12-2011, 09:01 PM   #3
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by win32sux View Post
How about doing per-IP limits by means of the recent match module?

There should be several examples of that here in LQSEC.
Can you list the section it is located in.

I have set the server to deny the connection to port 443 for webmail,

I could have done this with another iptables (firewall) but I used the -I (insert) command and placed in the 'INPUT'.

iptables -I RH-Firewall-1-INPUT (line-number) -s 170.51.0.0/255.255.0.0 -d 199.xx.xx.xx -p tcp -m tcp --dport 443 -j DROP

This will deny access to webmail without impacting legitimate traffic to the server.

I am still working on blocking for example 170.51.0.0/16 to port 25 but allow the email server to send to an email server in this
range if needed. The Barracuda(s) will allow an email address through the mail exchanger with the IP range blocked.

The trick is how to setup iptables to allow the email outbound and connect to the email server?

If the 170.51.0.0/16 is set to drop on INPUT then no email can be sent from the server since it will fail connecting to it.

Still working on it, I know there has to be a way to do it. I have been testing today but will pick up tomorrow.

thanks
 
Old 01-15-2011, 12:09 PM   #4
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Question

Does anyone know if you can drop traffic from a malicious IP range and yet allow an outgoing connection to the range if an smtp server is in
that domain?

Would tcp_wrappers work?
 
Old 01-17-2011, 01:54 AM   #5
120
Member
 
Registered: Oct 2010
Posts: 46

Rep: Reputation: 9
Not sure how you have that set up, but if you have a clustered pair of 800's in inbound mode, can't you just use their own rate control and IP blocking features to do the heavy lifting for you? After all Barracuda do advertise them as protecting against DoS.

Last edited by 120; 01-17-2011 at 01:56 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -- Transparent Proxy with port blocking. rahuljethwa Linux - Networking 1 12-17-2008 12:38 AM
iptables port connection limit rule Shwick Linux - Security 18 10-09-2008 09:26 PM
iptables blocking 7327 port santhosh.linux Linux - Security 2 10-09-2006 08:09 AM
Question about port blocking with Iptables GUIPenguin Linux - Networking 2 10-11-2004 06:25 PM
iptables - advanced port blocking/stealth mode siymann Linux - Security 1 10-26-2001 05:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration