Dropping connection attempts to port 25

Discussion in 'Linux Networking' started by Clark Smith, Mar 11, 2013.

  1. Clark Smith

    Clark Smith Guest

    Somebody keeps trying to connect to my sendmail server, without
    success, but filling my logs in the process. Since, according to the
    sendmail logs, the connection seems to be coming from a specific IP
    address <ip>, I added the following IPTables rules:

    iptables -A INPUT -s <ip> -j DROP
    iptables -A OUTPUT -d <ip> -j DROP

    However, I can still see further connection attempts in the sendmail logs.

    Any ideas on how to get IPTables to drop such attempts before
    they get to sendmail?
     
    Clark Smith, Mar 11, 2013
    #1
    1. Advertisements

  2. Are there any earlier rules in the INPUT or OUTPUT tables?
     
    Richard Kettlewell, Mar 11, 2013
    #2
    1. Advertisements

  3. Where in the INPUT chain was the first rule added? Was it after
    a rule which accepts port 25 attempts?

    Remember that rules are done in order.

    To get the order of the rules:
    # iptables -nvL
     
    Dale Dellutri, Mar 11, 2013
    #3
  4. Clark Smith

    Clark Smith Guest

    This was the output from iptable -nvL before adding the rules
    above:

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source
    destination
    599K 50M ACCEPT tcp -- eth0 * 192.168.0.0/24
    0.0.0.0/0 tcp dpt:22
    172K 10M tcp -- eth0 * 0.0.0.0/0
    0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: DEFAULT side:
    source
    170K 10M DROP tcp -- eth0 * 0.0.0.0/0
    0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 25
    hit_count: 4 name: DEFAULT side: source

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source
    destination

    Chain OUTPUT (policy ACCEPT 8 packets, 1248 bytes)
    pkts bytes target prot opt in out source
    destination
     
    Clark Smith, Mar 11, 2013
    #4
  5. Clark Smith

    Clark Smith Guest

    I added the rules exactly as I described - nothing more, nothing
    less. Am I perhaps missing something?
     
    Clark Smith, Mar 11, 2013
    #5
  6. If you’re quoting iptables output then ‘after’ would be more useful than
    ‘before’...
     
    Richard Kettlewell, Mar 11, 2013
    #6
  7. That won’t stop DROP rules in the chain from working.
    That depends what you’re trying to achieve.
     
    Richard Kettlewell, Mar 12, 2013
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.