Results 1 to 6 of 6

Thread: IP Tables Sanity Check

  1. #1

    IP Tables Sanity Check

    Ok. I run my own email server (using Qmail - its awesome) but have recently discovered that I occasionally get spammed by some annoying locations, such as mrktmail.com. I figure - hey, lets block them at the iptables firewall level, so they can't connect via smtp.

    I check the header of one of the spam mails and discover that they are on the 209.167.239.0 subnet. So I block that subnet in iptables.

    I do an iptables -l and among the rules is:

    DROP all -- 209.167.239.0/24 anywhere


    So far so good.

    But I'm STILL getting the spam mail.

    What am I doing wrong here? ???

  2. #2

    Re:IP Tables Sanity Check

    Not sure, can you post as much as you can of your script?

  3. #3

    Re:IP Tables Sanity Check

    Sure...

    My internal network is on eth0. My internet connection is on eth1. I have another internal network on eth2.

    iptables -A FORWARD -i eth0 -j ACCEPT
    iptables -A FORWARD -i eth2 -j ACCEPT
    iptables -P FORWARD DROP
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -o eth1 -p tcp --dport 21 -m state --state NEW -j ACCEPT

    iptables -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j DROP
    iptables -A INPUT -i eth1 -p tcp -m tcp --dport 1024 -j DROP
    iptables -A INPUT -i eth1 -p tcp -m tcp --dport 111 -j DROP
    iptables -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j DROP
    iptables -A INPUT -s 209.167.239.0/24 -j DROP

  4. #4

    Re:IP Tables Sanity Check

    Thier mail servers are not on the network you suspect. Run an nslookup and then do a `set type=mx` and check out their domain information. They are round robbin load balancing four mail servers. The hostname mrktmail.com really an alias to one of the following.

    bounce1.mrkmail.com = 209.47.251.101
    bounce2.mrkmail.com = 209.47.251.102
    bounce3.mrkmail.com = 209.47.251.103
    bounce4.mrkmail.com = 209.47.251.104

    Try blocking all those ips.

    Is there anything in Qmail that would let you reject mail from specified domains?

  5. #5

    Re:IP Tables Sanity Check

    iptables isn't really the right tool for the job of conquering spam. This is more of a mail server issue. Your firewall should either accept or reject traffic to your port 25. That's as far as that should really go. Maybe you add a rule to accept port 25 incoming traffic from ONLY host in network xxx.xxx.xxx.xxx or something, but you don't want to make your script a 'blacklist', because it'll slow down the rest of your network. Let the mail server do this - or Spamassassin.

    You need to do a little RTFM'ing and see how qmail handles 'relaying' mail. In sendmail, there are options that allow you to say something like this:
    "Allow mail *from* inside my network *to* anywhere;
    Allow mail *from* outside my network *to* inside my network ONLY (this keeps you from becoming a spam relay and sending, say, ME spam).
    Allow mail *from* 111.11.11.11 *to* anywhere (a possible backdoor to allow you to send mail from your workstation at work or school through your home mail server)."

    You should see how qmail handles this. I believe O'Reilly has a qmail book that's supposed to be good. Check it out.

    If you're just having issues with getting spam in your mail *client*, then there are a couple of things you can do:

    You can use Spamassassin. This is probably the absolute most effective method of keeping spam out of your INBOX. There's a lab on how to set up Spamassassin on my site. click here to see the lab

    The other thing you can do is set up procmail and start adding url's, patterns and all kinds of rules to defend yourself. Since they're both free, I recommend spamassassin, 'cos it's easier. If you wanna go the procmail route (there are a million other things you can use procmail for), I highly recommend 'The Procmail Compainon'. Check Amazon or something for it.

  6. #6

    Re:IP Tables Sanity Check

    Tolstoy and njcajun,

    Thanks for the help. I know that spammers can be tricky with ip addresses and its perhaps my own stupid fault that I trust what's in the email header when it says it receives email from ip address xx.xx.xx.xx. Next time I'll "dig" a little deeper - or use nslookup.

    I blocked those ip addresses so we'll see if that stops them this time.

    As for relay, as far as I understand I need to have smtp open to receive email, but I do have relay turned off so that only my internal networks can use smtp to send email. (And I use pop to read my email, as opposed to imap).

    Some of my users have complained that they're getting a bit too much spam from a few groups. Oh, sure, its easy to use your client to just throw email into the trash based on what the subject is, but then I have to depend on my users doing that and the spam does sit on the server until its picked up. If I can block some of the major spam sites that they're complaining about (especially the ones that change their header information around to prevent header-matching from working) I'll be one step ahead of the game.


Similar Threads

  1. IP tables
    By saswata in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 11-11-2007, 11:48 AM
  2. Tutorial on IP tables
    By saswata in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 10-11-2007, 12:20 AM
  3. IP Tables
    By explorer in forum BSD
    Replies: 2
    Last Post: 08-02-2007, 03:57 PM
  4. Php MySql and Tables
    By coltrane in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 02-13-2002, 10:19 AM
  5. ip tables question
    By amberhalo in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 11-27-2001, 03:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •