Find the answer to your Linux question:
Results 1 to 6 of 6
Hi all I use Linux server as router and firewall, this server contain four virtual interfaces, i have a mail server in one of these servers, any attack came to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! mibrahim's Avatar
    Join Date
    Aug 2011
    Posts
    9

    Red face MASQUERADE Hide Hacker IP


    Hi all
    I use Linux server as router and firewall, this server contain four virtual interfaces, i have a mail server in one of these servers, any attack came to this server appear as it came from the server virtual interface, instead of telling the attacker ip, i will not be able to block attacker IP if his IP is hidden. I need to make all these four virtual interfaces as one interface.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What does your iptables look like. Are you MASQ any input addresses?
    Maybe you could post a snipit of what you are seeing?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined! mibrahim's Avatar
    Join Date
    Aug 2011
    Posts
    9
    Thank you Lazydog for your reply, below iptable nat table and mail server log.
    ############Nat table ##################
    *nat
    :PREROUTING ACCEPT [240701:21472135]
    :POSTROUTING ACCEPT [6846:493143]
    :OUTPUT ACCEPT [288159:20932397]

    -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 53

    -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.60:3128
    -A PREROUTING -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.1.60:3128
    -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.60:53
    -A PREROUTING -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.60:53

    -A POSTROUTING -o eth0 -j MASQUERADE

    #########################################
    Mail server IP 192.168.51.31
    Mail Server Gateway 192.168.51.1

    #######Mail Server Log#######

    ail.com> to=<w852@ymail.com> proto=SMTP helo=<212.12.166.209>
    Jun 19 04:08:02 V-Mailserver-om1 postfix/smtpd[18763]: lost connection after RCPT from unknown[192.168.51.1]
    Jun 19 04:08:02 V-Mailserver-om1 postfix/smtpd[18763]: disconnect from unknown[192.168.51.1]
    Jun 19 04:09:07 V-Mailserver-om1 update.phishing.sites: Phishing safe sites list updated
    Jun 19 04:09:07 V-Mailserver-om1 update_spamassassin: Delaying cron job up to 600 seconds
    Jun 19 04:11:18 V-Mailserver-om1 postfix/postfix-script: refreshing the Postfix mail system
    Jun 19 04:11:18 V-Mailserver-om1 postfix/master[7047]: reload configuration /etc/postfix
    Jun 19 04:11:18 V-Mailserver-om1 postfix/anvil[18765]: statistics: max connection rate 1/60s for (smtp:192.168.51.1) at Jun 19 04:08:01
    Jun 19 04:11:18 V-Mailserver-om1 postfix/anvil[18765]: statistics: max connection count 1 for (smtp:192.168.51.1) at Jun 19 04:08:01
    Jun 19 04:11:18 V-Mailserver-om1 postfix/anvil[18765]: statistics: max cache size 1 at Jun 19 04:08:01
    Jun 19 04:16:32 V-Mailserver-om1 dovecot: pop3-login: Login: user=<abeket>, method=PLAIN, rip=::ffff:192.168.51.1, lip=::ffff:192.168.51.31
    Jun 19 04:16:36 V-Mailserver-om1 dovecot: POP3(abeket): Disconnected: Logged out top=0/0, retr=0/0, del=0/2386, size=521422975
    Jun 19 04:23:01 V-Mailserver-om1 postfix/smtpd[7844]: connect from unknown[192.168.51.1]
    Jun 19 04:23:02 V-Mailserver-om1 postfix/smtpd[7844]: NOQUEUE: reject: RCPT from unknown[192.168.51.1]: 554 5.7.1 <w852@ymail.com>: Relay access denied; from=<peter@gma
    il.com> to=<w852@ymail.com> proto=SMTP helo=<212.12.166.209>
    Jun 19 04:23:03 V-Mailserver-om1 postfix/smtpd[7844]: lost connection after RCPT from unknown[192.168.51.1]
    Jun 19 04:23:03 V-Mailserver-om1 postfix/smtpd[7844]: disconnect from unknown[192.168.51.1]
    Jun 19 04:23:10 V-Mailserver-om1 dovecot: pop3-login: Login: user=<rgalvez>, method=PLAIN, rip=::ffff:192.168.51.1, lip=::ffff:192.168.51.31
    Jun 19 04:23:12 V-Mailserver-om1 dovecot: POP3(rgalvez): Disconnected: Logged out top=0/0, retr=0/0, del=0/380, size=249693190
    Jun 19 04:26:23 V-Mailserver-om1 postfix/anvil[7908]: statistics: max connection rate 1/60s for (smtp:192.168.51.1) at Jun 19 04:23:01
    Jun 19 04:26:23 V-Mailserver-om1 postfix/anvil[7908]: statistics: max connection count 1 for (smtp:192.168.51.1) at Jun 19 04:23:01
    Jun 19 04:26:23 V-Mailserver-om1 postfix/anvil[7908]: statistics: max cache size 1 at Jun 19 04:23:01
    Jun 19 04:46:43 V-Mailserver-om1 dovecot: pop3-login: Login: user=<abeket>, method=PLAIN, rip=::ffff:192.168.51.1, lip=::ffff:192.168.51.31
    Jun 19 04:46:49 V-Mailserver-om1 dovecot: POP3(abeket): Disconnected: Logged out top=0/0, retr=0/0, del=0/2386, size=521422975
    Jun 19 04:53:25 V-Mailserver-om1 dovecot: pop3-login: Login: user=<rgalvez>, method=PLAIN, rip=::ffff:192.168.51.1, lip=::ffff:192.168.51.31
    Jun 19 04:53:27 V-Mailserver-om1 dovecot: POP3(rgalvez): Disconnected: Logged out top=0/0, retr=0/0, del=0/380, size=249693190
    Jun 19 04:58:00 V-Mailserver-om1 postfix/smtpd[10691]: connect from unknown[192.168.51.1]
    Jun 19 04:58:01 V-Mailserver-om1 postfix/smtpd[10691]: NOQUEUE: reject: RCPT from unknown[192.168.51.1]: 554 5.7.1 <w852@ymail.com>: Relay access denied; from=<peter@gm
    ail.com> to=<w852@ymail.com> proto=SMTP helo=<212.12.166.209>
    Jun 19 04:58:02 V-Mailserver-om1 postfix/smtpd[10691]: lost connection after RCPT from unknown[192.168.51.1]
    Jun 19 04:58:02 V-Mailserver-om1 postfix/smtpd[10691]: disconnect from unknown[192.168.51.1]
    Jun 19 05:01:02 V-Mailserver-om1 postfix/pickup[18838]: 13F341B282D0: uid=0 from=<root>
    Jun 19 05:01:02 V-Mailserver-om1 postfix/cleanup[10747]: 13F341B282D0: message-id=<20110619020102.13F341B282D0@mx1.zahran-om.com>
    --More--(0%

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by mibrahim View Post
    -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 53
    This line is useless. It just says to redirect port 53 to port 53 on the local system.

    Jun 19 04:08:02 V-Mailserver-om1 postfix/smtpd[18763]: lost connection after RCPT from unknown[192.168.51.1]
    Jun 19 04:08:02 V-Mailserver-om1 postfix/smtpd[18763]: disconnect from unknown[192.168.51.1]
    Looks like your mail gateway is trying to send mail to the server but the server doesn't know the gateway. Not sure if you want the gateway sending mail to your server or not. If you want to accept mail from your gateway then you are going to have to configure Postfix to allow it.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined! mibrahim's Avatar
    Join Date
    Aug 2011
    Posts
    9
    Quote Originally Posted by Lazydog View Post
    This line is useless. It just says to redirect port 53 to port 53 on the local system.
    This line to redirect any DNS query to my bind server


    Looks like your mail gateway is trying to send mail to the server but the server doesn't know the gateway. Not sure if you want the gateway sending mail to your server or not. If you want to accept mail from your gateway then you are going to have to configure Postfix to allow it
    My gateway IP is 192.168.1.34 when Gateway want to send data to Mail server (192.168.51.31) My Gateway(Router+Firewall+cache+Bind) nat this request as it came from it and instead of receiving the request from 192.168.1.34 the request came from 192.168.51.1.
    Another example, a hacker from the internet make dictionary attack to guess users password. In my situation all attacks will come from one source ( 192.168.51.1) so i will not be able to block hacker IP.
    Last edited by mibrahim; 09-08-2011 at 06:28 AM.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You should not be NATing any source addresses and that is what it sounds like you are doing. I am sure the rules above are not your complete set so I don't know where the problem is.

    As for redirecting port 53 in your preroute it is useless. You are saying redirect port 53 to port 53 which it already is. If you are redirecting to another DNS server then you should have the ip address in there also and then it isn't a redirect (which is only redirected on the host) but a DNAT. If the firewall is your DNS server then you need an INPUT rule for port 53 not a redirect.

    I see the rules you have posted are also not interface attached which is also not a good idea because they then apply to all interfaces. Normally you want to have then assigned to an interface so only the packets coming in on that interface are affected.

    If you would like I can go over your rules and if you don't want to post them on a public forum then you can PM them to me.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •