Topic: iptables question

[GetRighT]

Hi

Im very tired of a certain user whos PC are infected with a virus and therefore keeps sending infected emails to one of my accounts.

I've contacted the isp several times at there official abuse address, but I never recieved as much as a "blob" from them which in it self really sux.

So i was thinking: Why dont i just block the ip, as its a fixed ip address. So i did:

iptables -A INPUT -s XXX.XX.254.39 -j DROP

Under: Chain INPUT (policy DROP)
I have: DROP       all  --  xxx.xxx.254.xxx  anywhere which should work but no go.

What am I missing?    

[arne]

If this should work the mail server will have to run on the SME server itself and not on any PC behind it.
(Because you are using the input filtering chain that only filters trafick into the local processes.)

The order of the rules is a rather critical factor. I belive that the -A "append" should put the rule on the top of the chain so this should be ok.

I also belive tht the iptabels rules can be a little bit tricky in the way you have to write the criteria in the rules.

I would guess that something like:
iptables -A INPUT -p tcp -s 123.123.123.123 --dport 25 -j DROP

Try to experiment a bit - should work.
(At least I use somethin like this on my server)

[arne]

If this should work the mail server will have to run on the SME server itself and not on any PC behind it.
(Because you are using the input filtering chain that only filters trafick into the local processes.)

The order of the rules is a rather critical factor. I belive that the -A "append" should put the rule on the top of the chain so this should be ok.

I also belive tht the iptabels rules can be a little bit tricky in the way you have to write the criteria in the rules.

I would guess that something like:
iptables -A INPUT -p tcp -s 123.123.123.123 --dport 25 -j DROP

Try to experiment a bit - should work.
(At least I use somethin like this on my server)

[arne]

Sorry for making a dobbel post, and also sorry for making a minor but very important misstake ..

The order of the rules is very critical ..

"-A" does not set the new rule at the top but at the bottom of the chain. So if you have already allowed port 25 at the top of the chain, the rule that should block in the bottom of the chain will not work.

"-I" - insert should put the rule at the top of the chain:

iptables -I INPUT -i eth0 -p tcp -s 123.123.123.123 --dport 25 -j DROP

[GetRighT]

"-A" does not set the new rule at the top but at the bottom of the chain. So if you have already allowed port 25 at the top of the chain, the rule that should block in the bottom of the chain will not work.

hmm.. I find that strange as I would asume that you would allow all from the top and then filter out on your way down?

At least the first rule is:
ACCEPT     all  --  anywhere             anywhere

Anyone care to comment?

[arne]

"hmm.. I find that strange as I would asume that you would allow all from the top and then filter out on your way down?

At least the first rule is:
ACCEPT all -- anywhere anywhere"

No. Iptable/netfilter does not work that way(normally).

If your first rule is to accept all, you will not have any firwall at all.

Why do you think that your first rule is to accept all trafic ? (If it from the iptables -L command, I think it is a good idea not to believe in it to much, theese listing are a bit "stange" some times.)

"Normaly" you will set up the rules like this:

Rule 1
Rule 2
Rule 3

Default rule (The policy).

If Rule1 is "ACCEPT" then Rule2, Rule3 and Policy wil not be checked out at all. So if you want to deny something from one ip that is allowed from the other ip's you wil hav to put that rule that drop in front of that general rule that will accept.

[GetRighT]

I think your right. added it with the -I switch instead and havent had a mail from that ip since.

Thx for your help!  

[arne]

Interesting, thanks fot the feedback .. it should work like this. I think the standard firewall of the SME server is a rather complicated thing, but if you put one rule on the top of the rule stack, this should be able to block the unvanted trafick, whatever rules that comes afer that one.