Re: Blocking SMTP Worm - Gáspár Lajos

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: "Juan Carlos Peláez Mendoza" <jcpelaez@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Blocking SMTP Worm
Date: Tue, 24 Oct 2006 16:04:52 +0200	[thread overview]
Message-ID: <453E1D84.6080803@freemail.hu> (raw)
In-Reply-To: <19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>

Juan Carlos Peláez Mendoza írta:
> Hi list,
>
> My IP Address have been listed in the RBL's too many times, I
> installed into my linux box MailScanner + Spamassassin + Clamavmodule
> + FProt, I set up the iptables rules allowing only smtp, pop and ssh
> traffic, but when I see the traffic with tcpdump I see this strange
> behavior:
>
> 17:14:42.255867 IP 192.168.0.92.2802 >
> Static-IP-cr2001181.cable.net.co.smtp: S 396792405:396792405(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:43.457612 IP 192.168.0.92.2803 >
> Static-IP-cr2001181.cable.net.co.smtp  : S 760094736:760094736(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:46.512975 IP 192.168.0.92.2804 >
> Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:49.466442 IP 192.168.0.92.2804 >
> Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:50.118528 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp  : S
> 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
> 17:14:53.071734 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp: S
> 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
>
> I see the traffic today and still getting that result after blocking
> the traffic for the  192.168.0.92 address:
>
> 08:40:10.664379 IP 192.168.0.92.2728 >
> emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:16.683771  IP 192.168.0.92.2728 >
> emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:20.731636 IP 192.168.0.92.2731 >
> bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:23.706369 IP 192.168.0.92.2731 >
> bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> 16384 <mss 1460,nop,nop,sackOK>
>
>
> What can I do to stop and block this worm???
>
> Here are my basic rules for IPtables.
>
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables --flush
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ip_conntrack_irc
>
> iptables --table nat --flush
>
>  iptables --table nat --append POSTROUTING --out-interface eth0 -j 
> MASQUERADE
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>
> #Blocking  192.168.0.92 SMTP Traffic
> iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.92 -j DROP
>
> iptables -A FORWARD -i eth1 -j ACCEPT
>
> echo "Enrutamiento Activado..."
>
> # Bloqueando ip  218.55.23.50
> iptables -A INPUT -s 218.55.23.50 -j DROP
>
> # Bloqueando ip  201.160.33.60
> iptables -A INPUT -s  201.160.33.60 -j DROP
>
> iptables -A INPUT -s 192.168.0.92 -j DROP
> iptables -A FORWARD -p tcp --dport 25 -j DROP
>
> #Permitir trafico de entrada a puertos SMTP, POP, SSH
> iptables -A INPUT -p tcp --dport 25 -s 192.168.0.0/24 -d PRIVATE_IP -j 
> ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d  PUBLIC_IP --dport 25 -j 
> ACCEPT
> iptables -t filter -A INPUT -p tcp --dport 25 -s  192.168.0.0/24 -d 
> 0/0 -j DROP
> iptables -A INPUT -p tcp -s 0/0 -d   192.168.0.0/24 --sport 25 -i eth0 
> -j DROP
>
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 3306 -j REJECT
>
>
> # Botar paquetes que vayan de la Lan por el puerto 25
> iptables -A FORWARD -p tcp --dport 25 -j DROP
>
>
>
> Can anybody help me with this???
>
Have you tried this command???

iptables -vnL
>
> Thanks,
>
>
>
> Juan Carlos Peláez Mendoza
>
>
>

next prev parent reply	other threads:[~2006-10-24 14:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
2006-10-24 13:54 ` Blocking SMTP Worm Juan Carlos Peláez Mendoza
2006-10-24 14:04   ` Gáspár Lajos [this message]
2006-10-24 14:19     ` Juan Carlos Peláez Mendoza
     [not found]       ` <9e12c5a529145622a46a6cbe5fc05e4b@former03.de>
2006-10-24 19:53         ` Juan Carlos Peláez Mendoza
2006-10-26  9:27           ` Gáspár Lajos
2006-10-31 19:54   ` R. DuFresne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=453E1D84.6080803@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=jcpelaez@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.