Iptables problem
This is a discussion on Iptables problem within the Linux Networking forums, part of the Linux Forums category; Hi, I'm running iptables on an Alpha (Debian Woody is the distro). The version is 1.2.6a. I'...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-31-2003
|
|||
|
|||
Iptables problem
Hi,
I'm running iptables on an Alpha (Debian Woody is the distro). The version is 1.2.6a. I'm not sure if my setup is working. There are several spammers I want to block who keep trying to send email to non-existent users on my server. I have them dropped in my iptables active ruleset. When I run netstat they no longer have a state of ESTABLISHED but the repeatedly show up with SYN_SENT. Now I know this is the initiation of a tcp negotiation with a server that is going unanswered (hence the drop rules), however, when looking at my traffic (using ntop) there is a considerable amount of sent/received bytes (kilobytes actually) per hour. Some occassionally make it into the megabyte range. Is this what "dropping" with iptables means? Why is there sent/received and not just received? Below is my iptables ruleset: # Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003 *nat :PREROUTING ACCEPT [21509:2476669] :POSTROUTING ACCEPT [3392:215481] :OUTPUT ACCEPT [3392:215481] COMMIT # Completed on Sun May 4 02:03:42 2003 # Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003 *mangle :PREROUTING ACCEPT [435:45901] :OUTPUT ACCEPT [296:127722] COMMIT # Completed on Sun May 4 02:03:42 2003 # Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003 *filter :OUTPUT ACCEPT [0:0] :FORWARD DROP [0:0] :INPUT DROP [0:0] #### #### block spammers BEGIN #### # sales@neovisiongroup.com -A INPUT -s 64.74.96.130 -j DROP # offers@hyzex.com -A INPUT -s 205.252.1.100 -j DROP # kiosk.ws [an opt-in spammer list serve] -A INPUT -s 209.167.139.132 -j DROP -A INPUT -s 209.167.139.133 -j DROP -A INPUT -s 209.167.139.134 -j DROP -A INPUT -s 209.167.139.135 -j DROP # safelistsmart.com [an opt-in spammer list serve] # ns1.safelistsmart.com -A INPUT -s 69.0.219.175 -j DROP -A INPUT -s 69.0.219.177 -j DROP # servepath.com -A INPUT -s 216.93.160.3 -j DROP -A INPUT -s 216.93.177.176 -j DROP -A INPUT -s 216.93.177.54 -j DROP -A INPUT -s 66.54.199.75 -j DROP # unknown -A INPUT -s 162.42.208.238 -j DROP # unknown -A INPUT -s 66.129.123.134 -j DROP -A INPUT -s 66.129.123.136 -j DROP -A INPUT -s 66.129.123.141 -j DROP # unknown -A INPUT -s 64.247.31.88 -j DROP # unknown -A INPUT -s 65.57.110.53 -j DROP # mbonnerenterprises.com -A INPUT -s 65.61.155.201 -j DROP # mbonnerhosting.com -A INPUT -s 65.61.161.57 -j DROP # myultimatehosting.com -A INPUT -s 216.93.177.176 -j DROP -A INPUT -s 216.31.141.158 -j DROP # chi.safelist.tv -A INPUT -s 66.227.96.27 -j DROP # www.netscashbuilder.com -A INPUT -s 194.216.113.221 -j DROP # smtp.eemarket.com -A INPUT -s 216.12.210.210 -j DROP # mail.myecom.net -A INPUT -s 12.42.86.2 -j DROP #### #### block spammers END #### # Permit packets in to firewall itself that are part of existing and related connections -A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT # Allow all inputs to firewall from the local network -A INPUT -i lo -j ACCEPT # Deny spoofing from public eth0 -A INPUT -s myrealiphere/32 -i eth0 -j DROP # Deny spoofing from public eth0 as local -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP # Accept tcp packets for SMTP -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # Accept tcp packets for SMTP TLS -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT # Accept tcp packets for HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Accept tcp packets for HTTPS -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Accept tcp packets for SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Accept tcp packets for FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # Accept tcp packets for IMAP -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT # Accept tcp packets for IMAP-SSL -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # Accept tcp packets for POP -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT # Accept tcp packets for POP-SSL -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT # Accept tcp packets for NTOP -A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT # Accept tcp packets for MYSQL -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT # Accept tcp packets for JABBER -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT # Accept tcp packets for JABBER-SSL -A INPUT -p tcp -m tcp --dport 5223 -j ACCEPT # Accept tcp packets for JABBER-ILE -A INPUT -p tcp -m tcp --dport 31515 -j ACCEPT # Webmin! -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT COMMIT # Completed on Sun May 4 02:03:42 2003 Where it says myrealiphere, I do in fact have my ip address. I just changed it for this post. I thought there might be bugs in iptables 1.2.6a but I can't upgrade to 1.2.8 via apt-get or from source as the kernel I am using is actually from a RedHat distro (it works well with my DAC960 raid controller) and this is a production box that I don't want to take offline to do a custom kernel. Thanks for any help, Doug 
|
Linear Mode
