Using iptables for throttling SMTP traffic

Using iptables for throttling SMTP traffic

[Alex]

Hi,

I've set up a few basic rules to throttle SMTP traffic from an
individual host should they make more than 10 connections in ten
seconds:

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
recent --update --seconds 10 --hitcount 10 -j LOG
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
recent --update --seconds 10 --hitcount 10 -j DROP

Is this the correct way to do this? I notice the seconds value can't
be any greater than 20. What is the reason for this? I'd like to do
something like permit up to 100 messages/connections over any
60-second period. Is this possible?

My hope is to block hundreds of connections on my mail server from
bulk mail senders like constantcontact, as well as the flood of
connections from spam bots that are rejected by zen anyway.

How can I tell what rules are currently in place for a particular IP?
In other words, I see log entries for the initial block, but it
doesn't appear that an actual rule is added, correct?

Thanks,
Alex

Re: Using iptables for throttling SMTP traffic

[Brent Clark]

On 01/11/2010 21:07, Alex wrote:
>  My hope is to block hundreds of connections on my mail server from
>  bulk mail senders like constantcontact, as well as the flood of
>  connections from spam bots that are rejected by zen anyway.
>
>  How can I tell what rules are currently in place for a particular
>  IP? In other words, I see log entries for the initial block, but it
>  doesn't appear that an actual rule is added, correct?


Hiya

Why dont you do this at the application level. There many way to do this.

Have you looked at greylisting?

You make no mention of what MTA you are using. But you can set up a MTA 
Gateway (Basically a MTA in front of your real MTA).

HTH
Brent Clark

Re: Using iptables for throttling SMTP traffic

[Pascal Hambourg]

Hello,

Alex a écrit :
> 
> I've set up a few basic rules to throttle SMTP traffic from an
> individual host should they make more than 10 connections in ten
> seconds:
> 
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j LOG
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j DROP
> 
> Is this the correct way to do this? I notice the seconds value can't
> be any greater than 20. What is the reason for this?

--seconds or --hitcount ? The --hitcount value cannot be greater that
the ip_pkt_list_tot parameter of the ipt_recent/xt_recent kernel module
(otherwise it would never match), and the parameter default value is 20.
See the iptables man page for details.

Re: Using iptables for throttling SMTP traffic

[Jan Engelhardt]

On Tuesday 2010-11-02 10:55, Pascal Hambourg wrote:

>Hello,
>
>Alex a écrit :
>> 
>> I've set up a few basic rules to throttle SMTP traffic from an
>> individual host should they make more than 10 connections in ten
>> seconds:
>> 
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j LOG
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j DROP
>> 
>> Is this the correct way to do this? I notice the seconds value can't
>> be any greater than 20. What is the reason for this?
>
>--seconds or --hitcount ? The --hitcount value cannot be greater that
>the ip_pkt_list_tot parameter of the ipt_recent/xt_recent kernel module
>(otherwise it would never match), and the parameter default value is 20.
>See the iptables man page for details.

And on newer kernels (>= 2.6.34), this is also communicated through a 
line in dmesg.

Re: Using iptables for throttling SMTP traffic

[Alex]

Hi,

>>  My hope is to block hundreds of connections on my mail server from
>>  bulk mail senders like constantcontact, as well as the flood of
>>  connections from spam bots that are rejected by zen anyway.
>>
>>  How can I tell what rules are currently in place for a particular
>>  IP? In other words, I see log entries for the initial block, but it
>>  doesn't appear that an actual rule is added, correct?
>
> Why dont you do this at the application level. There many way to do this.

I have an older version of postfix that I can't upgrade right now, and
I don't think it supports this. I do realize this is the more
effective way to do it. I'd like to just get something working for the
time being.

Thanks,
Alex

Re: Using iptables for throttling SMTP traffic

[Secure-SIP-Server]

Hi Alex!

> I've set up a few basic rules to throttle SMTP traffic from an
> individual host should they make more than 10 connections in ten
> seconds:
>
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m 
> recent --set
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j LOG
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> recent --update --seconds 10 --hitcount 10 -j DROP
>
> Is this the correct way to do this? I notice the seconds value can't
> be any greater than 20. What is the reason for this? I'd like to do
> something like permit up to 100 messages/connections over any
> 60-second period. Is this possible?

It is possible, but if your kernel supports it I don't know.

You can do:
# rmmod ipt_recent
# modprobe ipt_recent ip_pkt_list_tot=100

If you get the info that ipt_recent can't be removed because it's in use you 
must remove all 'recent' rules in your firewall table first. Then try it 
again.

But be careful !!!!!!!
I had set the values to hight. First everything worked fine. No error 
message when I did
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --update --rttl --seconds     1 --hitcount   10 -j DROP
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --update --rttl --seconds 100 --hitcount 200 -j DROP
# iptables -A INPUT -p udp --dport 5060 -m recent --name 
DENIAL_OF_SERVICE --set -j ACCEPT
and
# /sbin/iptables -L --line-numbers -v -n
also showed that this was installed.
Then I rebooted the server and ... nothing. I wasn't able to get in contact 
with my server again!!!!!!!!!
I had to access the Hard-disk booting from other system to fix it back to 
the default values. Then it worked again, but only with the default max 
of --hitcount 20   :-(

Regards

Detlef Pilzecker
Weitlahnerstrafle 8
D - 83209 Prien am Chiemsee 

Re: Using iptables for throttling SMTP traffic

[Jan Engelhardt]

On Tuesday 2010-11-30 14:14, Secure-SIP-Server wrote:
> It is possible, but if your kernel supports it I don't know.
>
> You can do:
> # rmmod ipt_recent
> # modprobe ipt_recent ip_pkt_list_tot=100

It's called xt_recent.

Re: Using iptables for throttling SMTP traffic

[lst_hoe02]

Zitat von Secure-SIP-Server <info@secure-sip-server.net>:

> Hi Alex!
>
>> I've set up a few basic rules to throttle SMTP traffic from an
>> individual host should they make more than 10 connections in ten
>> seconds:
>>
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m  
>> recent --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j LOG
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 10 --hitcount 10 -j DROP
>>
>> Is this the correct way to do this? I notice the seconds value can't
>> be any greater than 20. What is the reason for this? I'd like to do
>> something like permit up to 100 messages/connections over any
>> 60-second period. Is this possible?

You can't at TCP/IP level. Modern Mailserver are able to push a lot of  
messages in *one* TCP/IP session (ESMTP). You can handle the max.  
number of new connections/time (recent) and the max. number of  
parallel connections at a given time (connlimit), but not the number  
of messages with iptables or any other TCP/IP based filter.

Regards

Andreas