Find the answer to your Linux question:
Results 1 to 10 of 10
Hi friends! My mail server is Postfix . And sometimes, someone is trying to use my smtp to send spam emails. I have used iptables and fail2ban to solve this ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2013
    Location
    Brazil
    Posts
    7

    Unhappy An annoying IP, IPTABLES canīt block it!


    Hi friends!

    My mail server is Postfix .
    And sometimes, someone is trying to use my smtp to send spam emails.
    I have used iptables and fail2ban to solve this cases, and iīm always reading the mail log to see any suspicious connections, using iptables commands manually to ban these annoying spammers.
    but the last one is very persistent! Even with several commands in iptables including output and input rules to drop it, the connections attempts was not blocked!


    Even with network unreachable status, this annoying ip testingemail\dot\com [208.87.35.103] is trying to connect to my smtp server!
    I have used iptables and route commands to block it but no success until now =/

    That server (testingdomain\dot\com) was trying to use my php mail functions from php files present on my server to send the emails, i discovered and commented these lines from the mail function and this issue was solved.

    I have made an ip lookup to 208.87.35.103 and this is an inconsistent ip.
    what this means?

    Maybe my server have a script running to do this connection attempts?
    This is a backscatterer?

    Thanks for your attention!

    Regards

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    913
    iptables will block any IP you wish. It's pretty much 100% reliable. Either you didn't enter the rule correctly, or you iptables isn't running.

  3. #3
    Just Joined!
    Join Date
    Mar 2013
    Location
    Brazil
    Posts
    7
    Quote Originally Posted by mizzle View Post
    iptables will block any IP you wish. It's pretty much 100% reliable. Either you didn't enter the rule correctly, or you iptables isn't running.
    How can i check if its runniing?

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Mar 2013
    Location
    Brazil
    Posts
    7
    I have checked and its running... v.1.4.8
    Can you give me an efficient command against that ip?
    So i will flush the rules and try this new, ok?

    Thanks!

  6. #5
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    you can show us your currently running iptables with this cmd:
    Code:
    iptables -L
    You can try blocking an ip address like this:
    Code:
    iptables -A INPUT -s x.x.x.x -j DROP

  7. #6
    Just Joined!
    Join Date
    Mar 2013
    Location
    Brazil
    Posts
    7
    yep, itīs running and here is the rules, i have typed the commands manually:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- ps44.suite2.arena.ne.jp anywhere multiport dports smtp
    DROP tcp -- 208-87-35-103.securehost.com anywhere multiport dports smtp
    DROP tcp -- mail7.vipprodutora9.com.br anywhere tcp dpt:smtp
    DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp dpt:smtp
    DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp spt:smtp
    DROP tcp -- 208-87-35-103.securehost.com anywhere tcp dpt:smtp
    DROP tcp -- bermantech.com anywhere tcp dpt:smtp
    DROP tcp -- d155234.artnet.pl anywhere tcp dpt:smtp

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- d155234.artnet.pl anywhere tcp dpt:smtp
    DROP tcp -- mail7.vipprodutora9.com.br anywhere tcp dpt:smtp
    DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp dpt:smtp
    DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp spt:smtp
    DROP tcp -- 208-87-35-103.securehost.com anywhere tcp spt:smtp
    DROP tcp -- 208-87-35-103.securehost.com anywhere tcp dpt:smtp

    --------------------------------------------------------------------------------


    But at this moment, that annoying ip (208-87-35-103) stopped trying to make connections.
    If it will be back, i will be back here to ask for more help.

    Thanks my friend!
    Regards

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Are you using raw IPTABLES or some sort of frontend? Also are you running this firewall on the mail server or a box acting like a router/firewall? This firewall doesn't look good for any server that is connected to the internet.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #8
    Just Joined!
    Join Date
    Mar 2013
    Location
    Brazil
    Posts
    7
    Quote Originally Posted by Lazydog View Post
    Are you using raw IPTABLES or some sort of frontend? Also are you running this firewall on the mail server or a box acting like a router/firewall? This firewall doesn't look good for any server that is connected to the internet.
    Im running it on a VPS.
    Maybe those connection attempts were due to postfix queue, after i restarted the vps
    it was cleared and stopped to search that ip.

    Im planning to install one or more additional firewall to work with iptables.
    Do you recommend some? it maybe arno, fiaif, shorewall, psad, fwsnort, firehol, apf-firewall, mxallowd, ferm, uruk
    or its not necessary for now?

    Thanks!

  10. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    While most of these are good I prefer CLI and IPTABLES.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  11. #10
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by Lazydog View Post
    While most of these are good I prefer CLI and IPTABLES.
    i totally agree w/Lazydog. A front-end firewall is good to set up some standard rules (like let in port 80 and port 22), but then look at your iptables state and modify/append to the rules file that it created. A GUI usually does not have the fine-grained control that the iptables commands themselves grant you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •