How can I ask IPTABLES to drop a packet based upon its content

How can I ask IPTABLES to drop a packet based upon its content

[Deshwal Chand]

[-- Attachment #1: Type: text/plain, Size: 323 bytes --]

Hi,

I am running IPTABLES on Redhat 7.2 box. We are running a mail server behind
this firewall. We receive lot of spam e-mails. Instead of investing into the
anti-spam s/w, I want to configure the IPTABLES to read the contents on the
packets and drop them based upon the filter defined.

Any help ......


Regards,

Chand

[-- Attachment #2: Type: text/html, Size: 877 bytes --]

Re: How can I ask IPTABLES to drop a packet based upon its content

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

On Wed, 2003-08-06 at 11:37, Deshwal Chand wrote:
> Hi,
> 
> I am running IPTABLES on Redhat 7.2 box. We are running a mail server
> behind this firewall. We receive lot of spam e-mails. Instead of
> investing into the anti-spam s/w, I want to configure the IPTABLES to
> read the contents on the packets and drop them based upon the filter
> defined.

You can use the the string module to do so (in POM)
But a really better choice is to install a spam software like
spamassassin.

BR,
-- 
Eric Leblond <eric@regit.org>
Regit.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: How can I ask IPTABLES to drop a packet based upon its content

[Whit Blauvelt]

You might find it much easier, although still a lot of work, to install a
relaying mail server on the firewall that uses SpamAssassin and Razor called
from the MIMEDefang milter in sendmail. I've also seen a Webpage somewhere
on doing this using Qmail and SpamAssassin (you might google for it). This
is all free software - the only investment is your time.

Asking iptables to do it is putting the load in the wrong place, and failing
to take advantage of the work already done in using mail daemons for this
task.

Whit

On Wed, Aug 06, 2003 at 03:07:31PM +0530, Deshwal Chand wrote:
> Hi,
> 
> I am running IPTABLES on Redhat 7.2 box. We are running a mail server behind
> this firewall. We receive lot of spam e-mails. Instead of investing into the
> anti-spam s/w, I want to configure the IPTABLES to read the contents on the
> packets and drop them based upon the filter defined.
> 
> Any help ......
> 
> 
> Regards,
> 
> Chand

Re: How can I ask IPTABLES to drop a packet based upon its content

[Alistair Tonner]

On August 6, 2003 08:53 am, Whit Blauvelt wrote:
> You might find it much easier, although still a lot of work, to install a
> relaying mail server on the firewall that uses SpamAssassin and Razor
> called from the MIMEDefang milter in sendmail. I've also seen a Webpage
> somewhere on doing this using Qmail and SpamAssassin (you might google for
> it). This is all free software - the only investment is your time.
>
> Asking iptables to do it is putting the load in the wrong place, and
> failing to take advantage of the work already done in using mail daemons
> for this task.
>
> Whit
>
> On Wed, Aug 06, 2003 at 03:07:31PM +0530, Deshwal Chand wrote:
> > Hi,
> >
> > I am running IPTABLES on Redhat 7.2 box. We are running a mail server
> > behind this firewall. We receive lot of spam e-mails. Instead of
> > investing into the anti-spam s/w, I want to configure the IPTABLES to
> > read the contents on the packets and drop them based upon the filter
> > defined.
> >
> > Any help ......
> >
> >
> > Regards,
> >
> > Chand

	Although it was a LOT of work and fair trial for me, (not being a sendmail or 
QMail guru) I've got Qmail and spamassasin working using the spamassassin 
filtering for spam and an antivirus scanner working as well... this requires 
some serious CPU horsepower under load, but in many small business cases 	
can be done with your average desktop class power.

	I haven't pushed the application yet, but I did grab about 350 mixed test 
mails and throw them at it once to see how long it would take to process.

	It loaded the box, and took about 8 minutes to process the works on an 
AMD 1500 cpu, 756Mb ram, IDE disks and about 75% of that was the time for the
AV scanner to process several large zip files, which actually contained virus 
triggers (not real viruses, but code that should trigger virus scanners)

	The above has a $0 cost in terms of software code, but can be supported for a 
nominal fee if required. (and b-t-w it beat the daylights outta the MS 
implementation that work has.)
	
	I REALLY don't recommend using IPTABLES with string matching to try and 
replace spam filtering.
     You MIGHT consider using IPTABLES, and RTBH to filter based on ip 
addresses of known spammers, but I'm not sure that someone has come up with 
an effective manner of combining these tools yet.
-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!