Re: [expert] iptables to block spam
At 03:57 PM 3/3/2003 -0800, you wrote: > iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP > I logged out and then tried to ssh back in and I was in just fine! Tried > to reach the web site > and again, no trouble. I then switched to this: Most likely, something before it is allowing it. I suggest that you change "-A" to "-I" to make it insert the rule at the beginning of the INPUT chain instead of appending it to the end of the chain. Oh that is IT! Thank you! With Bastille running I could not use -A, had to use -I. Of course I went to flush the rules with -F and made my machine disappear from the network and had to reboot it this morning :( Thanks Todd. -Scott --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Tue, 04 Mar 2003 07:28:40 -0500 Mark Weaver <[EMAIL PROTECTED]> wrote: > Pierre Fortin wrote: > > On Sun, 02 Mar 2003 17:45:12 -0500 Mark Weaver > > <[EMAIL PROTECTED]> wrote: > > > > > >>Scott St. John wrote: > >> > >>>Until I can migrate my clients over to Postfix I have been using the > >>>access lists in Sendmail to block certain repeat spammers. I am > >>>wondering if I could just use iptables to block them and take the > >load>>off Sendmail? > >>> > >>>My question would be 1)Is that practical 2)Is the proper way to block > >>>an entire network this: > >>> > >>>iptables -A INPUT -s 209.8.161.0/24 -j DROP > >>> > >>>I added this, however traffic from this network is still reaching my > >>>mail server. I want to block EVERYTHING from that network as they > >are>>sending porn mail to my clients. > >>> > >>>Thanks, > >>> > >>>-Scott > >> > >>Scott, > >> > >>this method will work, but if you want to block the entire network > >where>the junk comes from then you'll have to block the entire netblock > >and>not just that part of it. > >> > >>iptables -A INPUT -s 209.0.0.0 -j DROP > > > >^ > > Mark, this is a single address... to drop the entire block, you need > > a netmask: > > either 209.0.0.0/8 or 209.0.0.0/255.0.0.0 > > Hi Pierre, > > Interestingly enough I ran a simple test on my firewall that Scott was > attempting to use: > > iptables -A INPUT -p tcp -s 205.216.60.167 --dport 22 -j DROP Did you verify with?: iptables -L -v -n # iptables -L -v -n Chain INPUT (policy ACCEPT 775K packets, 529M bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 205.216.60.167 0.0.0.0/0 tcp dpt:22 I did a similar test the other day and it worked as indicated in a previous post... > And you know what I found? the blasted thing was ignored and I got right > > in! That really knoted my shorts for even when I appended the netmask in > > long and short forms to the --source address, > (-s 205.216.60.167/255.255.255.0 ) I got the same results. I was still > able to get right in. I shouldn't have been able to do that; I shouldn't > > have been able to connect at all from the machine I was attempting to > connect from. What's up with that? what am I missing here? > Again, seeing your iptables would be useful... Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Mon, 3 Mar 2003 21:55:55 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Pierre Fortin wrote on Mon, Mar 03, 2003 at 08:54:40PM -0500 : > > > > > > > > So I would use /16 for a Class C network? > > > Not quite: > > > /8 is Class A > > > /16 is Class B > > > /24 is Class C > > Not quite:) > > 0... is Class A > > 10.. is Class B > > 110. is Class C > > 1110 is Class D (multicast) > > is Class E (reserved) > > He's asking about what /16 is, and you're talking about classful > delegations. I don't think you're answering the question he asked. > However, enlighten me if I'm wrong. > > > But, nowadays, Classes are mainly historical... > > In reference to the IP block, yes. But if he wants to block everything > from 69.2.33.*, he will use a class C mask, regardless of the fact that > the 69.0.0.0 network is historically a Class A. Todd, I know you are pretty much up on this subject, hence the small smiley in my post... but it always helps to give people something to think on in that vein, expounding some more for those who are still unsure about this stuff... Scott actually asked about 209.8.161.0/24 which was a Class C in the old days... the "problem" is that people still insist on [mis]using the Class [ABC] designators... it makes more sense to use /0-/32, which is NOT restricted to /8, /16, /24 and /32 and forget the Class X. So, Scott and others should really think in terms of how many 2^N addresses to block, determine the appropriate mask to do that... there is a down-side though... it also means that people really need to learn how to determine the proper MATCH address that will result from using a mask that is not one of the traditional Class masks. For instance (including *cast addresses): 209.8.161.0/24 blocks 209.8.161.0--209.8.161.255 209.8.160.0/24 blocks 209.8.160.0--209.8.160.255 209.8.160.0/23 blocks 209.8.160.0--209.8.161.255 (=above 2 ranges) 209.8.160.0/25 blocks 209.8.160.0--209.8.160.128 Note that 209.8.160.0/19 would block more addresses above & below the /23 example above while using the *same* (209.8.160.0) match address... this is because 160 is coincidentally a nice binary number (0xA0) with plenty of trailing 0s. However, specifying 209.8.161.0/16 as Scott asked *may* not work (depends on software which reads/uses it) because after the /16 mask is applied, the address to compare against 209.8.160.0 would be 209.8.0.0 -- not a match! Though iptables does the Right Thing (using my drop script): # drop 1.2.3.4/16 all ^^ wrong! yet... # iptables -L -v -n Chain INPUT (policy ACCEPT 764K packets, 520M bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 1.2.0.0/16 0.0.0.0/0 ^^ It's a Good Thing to understand what goes on... When building match_address/mask pairs, one must be very careful that they are a *matched* pair; after all, specifying address/mask in a config file is not guaranteed to be corrected, as in iptables... there are "subnet calculators" available online to help with this... YIKES! A quick search on google for "subnet calculator" gives 32,800 links -- BUT... there are many for sale, some for free download, and others online... unfortunately, I had to get to the 19th link (http://jodies.de/ipcalc)** before I found one online (it's downloadable too) that is remotely helpful for the novice in explaining the above address/mask pairing issue... ** enter say 209.8.161.1 and 23 and note the binary representations returned... Oh well... hope I made the point that giving a /N answer is less than helpful for many folk who most likely don't yet understand that the *resulting* match address, after masking, is what belongs in this address/mask pair. HTH, Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pierre Fortin wrote on Mon, Mar 03, 2003 at 08:54:40PM -0500 : > > > > > > So I would use /16 for a Class C network? > > Not quite: > > /8 is Class A > > /16 is Class B > > /24 is Class C > Not quite:) > 0... is Class A > 10.. is Class B > 110. is Class C > 1110 is Class D (multicast) > is Class E (reserved) He's asking about what /16 is, and you're talking about classful delegations. I don't think you're answering the question he asked. However, enlighten me if I'm wrong. > But, nowadays, Classes are mainly historical... In reference to the IP block, yes. But if he wants to block everything from 69.2.33.*, he will use a class C mask, regardless of the fact that the 69.0.0.0 network is historically a Class A. Blue skies... Todd - -- Todd Lyons -- MandrakeSoft, Inc. http://www.mandrakesoft.com/ UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ZD/rlp7v05cW2woRAhk/AJ0Wy6iZ1cQ4u7OBGw9ZQEGmQ8TF1ACePFE8 IY1owKi43a/k+o2RHb0HagA= =Me8E -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Mon, 3 Mar 2003 15:55:37 -0800 Todd Lyons <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Scott St. John wrote on Sun, Mar 02, 2003 at 09:19:04AM -0500 : > > > > So I would use /16 for a Class C network? > > Not quite: > /8 is Class A > /16 is Class B > /24 is Class C Not quite:) 0... is Class A 10.. is Class B 110. is Class C 1110 is Class D (multicast) is Class E (reserved) The leading bits were then used to indicate the Class' mask: 0 --> /8 10 --> /16 110 --> /24 If the leading bits were not taken into consideration, 224.0.0.x might be misconstrued for a Class C instead of the Class D multicast that it really is... But, nowadays, Classes are mainly historical... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott St. John wrote on Mon, Mar 03, 2003 at 08:38:28AM -0500 : > iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP > I logged out and then tried to ssh back in and I was in just fine! Tried > to reach the web site > and again, no trouble. I then switched to this: Most likely, something before it is allowing it. I suggest that you change "-A" to "-I" to make it insert the rule at the beginning of the INPUT chain instead of appending it to the end of the chain. Blue skies... Todd - -- ...and I will strike down upon thee with great vengeance and furious anger, those who attempt to poison and destroy my binaries, and you will know my name is root, when I lay my vengeance upon thee. Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+Y+wGlp7v05cW2woRAkA5AJ9wWSmejYrMkg0ZQD0PvcMGgtol7wCfdvkI 4EinkWckfqMuT4HRGrXH2Ds= =HN6l -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott St. John wrote on Sun, Mar 02, 2003 at 09:19:04AM -0500 : > > So I would use /16 for a Class C network? Not quite: /8 is Class A /16 is Class B /24 is Class C Blue skies... Todd - -- Never take no as an answer from someone who's not authorized to say yes. --Ben Reser on Cooker ML Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+Y+t5lp7v05cW2woRAqUfAJ9w5H+/MtG/weBU5KUFz+k5IkkmlQCeMws/ bOk/03V+6F+FyM7DYB7gOpM= =0hC/ -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
At 03:57 PM 3/3/2003 -0500, you wrote: >If you want to block access to a specific service then just modify the rule to appear this way. Something I forgot to ask is how many nics are you using? you may also have to >specify the interface they're coming in on as well. Ex: iptables -A INPUT -p tcp --dport 25 -s 209.0.0.0 -j DROP If you have two nics in the machine and your public interface, like mine is, eth1, then the rule would look like this: iptables -A INPUT -i eth1 -p tcp --dport 25 -s 209.0.0.0 -j DROP Or, you could write like this provided you have two nics; iptables -A INPUT -i eth1 -s 209.0.0.0 -j DROP Bastille's already existing rules shouldn't cancel out any additional rules you add to the firewall. That wouldn't exactly be a good thing. Mark- I have one interface on that machine and believe it or not I just copied the line above for blocking port 25 except I replaced the IP address with another machine here and tested it and it did NOT work. So I shut down Bastille and tried it and I was blocked! So something in Bastille is preventing me from manually entering chains to block and that sucks :( There must be a way around that. I guess I could try to duplicate the Bastille rules and make my own or figure out a way around Bastille blocking me from manually entering my own rules. -Scott --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
Scott St. John wrote: Heh, call me the idiot! It works *WHEN* I stop Bastille :) I am guessing that some rule in Bastille is over riding my iptables commands to allow the traffic! So, now I have to figure out the rules that Bastille is putting in place and write my own iptables script. Thank you to everyone! -Scott Scott, If you want to block access to a specific service then just modify the rule to appear this way. Something I forgot to ask is how many nics are you using? you may also have to specify the interface they're coming in on as well. Ex: iptables -A INPUT -p tcp --dport 25 -s 209.0.0.0 -j DROP If you have two nics in the machine and your public interface, like mine is, eth1, then the rule would look like this: iptables -A INPUT -i eth1 -p tcp --dport 25 -s 209.0.0.0 -j DROP Or, you could write like this provided you have two nics; iptables -A INPUT -i eth1 -s 209.0.0.0 -j DROP Bastille's already existing rules shouldn't cancel out any additional rules you add to the firewall. That wouldn't exactly be a good thing. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 & 9.0 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
Heh, call me the idiot! It works *WHEN* I stop Bastille :) I am guessing that some rule in Bastille is over riding my iptables commands to allow the traffic! So, now I have to figure out the rules that Bastille is putting in place and write my own iptables script. Thank you to everyone! -Scott >his works for me... are you applying the correct rule on the right host? No need to log out/in... ssh to a host, say 192.168.1.1, then: iptables -A INPUT -s 192.168.1.1 -j DROP and the ssh connection should stop working. Verify with" iptables -L -v -n then re-enable with: iptables -F and the ssh conection should resume... --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Mon, 03 Mar 2003 08:38:28 -0500 "Scott St. John" <[EMAIL PROTECTED]> wrote: > At 09:48 PM 3/2/2003 -0500, you wrote: > > > > iptables -A INPUT -s 209.8.161.0/24 -j DROP > > Ok, perhaps I am doing something wrong, I decided to test blocking my > home connection > to the server just to see if it would work. Doing this: > > iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP This works for me... are you applying the correct rule on the right host? You can leave off the "-j DROP" so see if the rule is being hit: iptables -A INPUT -s xxx.xxx.xxx.xxx without actually affecting traffic. If the counters aren't incrementing, then you are using the wrong IP[/mask]; possibly on the wrong host. > I logged out and then tried to ssh back in and I was in just fine! > Tried to reach the web site > and again, no trouble. I then switched to this: No need to log out/in... ssh to a host, say 192.168.1.1, then: iptables -A INPUT -s 192.168.1.1 -j DROP and the ssh connection should stop working. Verify with" iptables -L -v -n then re-enable with: iptables -F and the ssh conection should resume... > iptables -A FORWARD -s xxx.xxx.xxx.xxx -j DROP > > And again, I got in. Must I block per service and missing something > when issuing the > command? Cant' tell what you are actually doing and on what host without more info; but it works for me... > Thanks in advance. > > -Scott > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
At 09:48 PM 3/2/2003 -0500, you wrote: > > iptables -A INPUT -s 209.8.161.0/24 -j DROP Ok, perhaps I am doing something wrong, I decided to test blocking my home connection to the server just to see if it would work. Doing this: iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP I logged out and then tried to ssh back in and I was in just fine! Tried to reach the web site and again, no trouble. I then switched to this: iptables -A FORWARD -s xxx.xxx.xxx.xxx -j DROP And again, I got in. Must I block per service and missing something when issuing the command? Thanks in advance. -Scott --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Sun, 02 Mar 2003 17:45:12 -0500 Mark Weaver <[EMAIL PROTECTED]> wrote: > Scott St. John wrote: > > Until I can migrate my clients over to Postfix I have been using the > > access lists in Sendmail to block certain repeat spammers. I am > > wondering if I could just use iptables to block them and take the load > > off Sendmail? > > > > My question would be 1)Is that practical 2)Is the proper way to block > > an entire network this: > > > > iptables -A INPUT -s 209.8.161.0/24 -j DROP > > > > I added this, however traffic from this network is still reaching my > > mail server. I want to block EVERYTHING from that network as they are > > sending porn mail to my clients. > > > > Thanks, > > > > -Scott > > Scott, > > this method will work, but if you want to block the entire network where > the junk comes from then you'll have to block the entire netblock and > not just that part of it. > > iptables -A INPUT -s 209.0.0.0 -j DROP ^ Mark, this is a single address... to drop the entire block, you need a netmask: either 209.0.0.0/8 or 209.0.0.0/255.0.0.0 > This should definately take care of things. > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
Scott St. John wrote: Until I can migrate my clients over to Postfix I have been using the access lists in Sendmail to block certain repeat spammers. I am wondering if I could just use iptables to block them and take the load off Sendmail? My question would be 1)Is that practical 2)Is the proper way to block an entire network this: iptables -A INPUT -s 209.8.161.0/24 -j DROP I added this, however traffic from this network is still reaching my mail server. I want to block EVERYTHING from that network as they are sending porn mail to my clients. Thanks, -Scott Scott, this method will work, but if you want to block the entire network where the junk comes from then you'll have to block the entire netblock and not just that part of it. iptables -A INPUT -s 209.0.0.0 -j DROP This should definately take care of things. -- Mark "If necessity is the mother of invention, then who's the father?" --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 & 9.0 ICQ# 27816299 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Sat, 1 Mar 2003 22:09:04 -0500 (EST) "Scott St. John" <[EMAIL PROTECTED]> wrote: > Until I can migrate my clients over to Postfix I have been using the > access lists in Sendmail to block certain repeat spammers. I am > wondering if I could just use iptables to block them and take the load > off Sendmail? > > My question would be > 1)Is that practical Sometimes... it depends on the spam... some jerks use IP address spoofing which makes it impossible to block with iptables... however, I'm using a new tactic to combat the likes of cyberproxy.com... I look up the registered owner of the domain and set a sylpheed filter to auto-forward the postfix reject notices to the registered owner/technical contact... so far, with some success... even had cyberproxy people e-mail me and try to claim innocence with some gibberish about knowing where the spoofed addresses were really coming from... not them... so why have they subsided so much...? :) > 2)Is the proper way to block an entire network this: Blocking addresses over time will be the least of your concerns; re-blocking a long list of bad actors will test your patience... in case it helps, I have a simple (not very fancy but it works for me) script to do this (http://pfortin.com/Linux/drop) -- I used to block a lot of addresses (http://pfortin.com/Linux/iptablesDROPHIST); but I get daily reports on which addresses are hitting and the worst are just a few: Chain INPUT (policy ACCEPT 28M packets, 6119M bytes) pkts bytes target prot opt in out source destination 6 288 DROP tcp -- * * 210.0.0.0/8 0.0.0.0/0 tcp dpt:25 122 5788 DROP tcp -- * * 64.53.0.0/16 0.0.0.0/0 tcp dpt:80 60 2880 DROP tcp -- * * 66.54.199.170 0.0.0.0/0 tcp dpt:25 117 5616 DROP all -- * * 211.154.65.253 0.0.0.0/0 Since I've been blocking spam for so long, the counts are much lower than they used to be... Using this info, I comment out many of the addresses in the history file and reload iptables with the same script -- no sense adding performance problems by trying to block most of the 'net... In addition to blocking spammers, I block anyone who tries to use my website as a relay and everything from anyone that shows up in my CodeRed, Nimda, etc. traps. Not all of this is documented on my site; but some is... would have more time for this if I wasn't fighting 9.0 so much... :P I use postfix to filter out most of the crap that iptables can't... (http://pfortin.com/Linux/PostFix/) HTH, Pierre (I *HATE* SPAMMERS!!!) > iptables -A INPUT -s 209.8.161.0/24 -j DROP > > I added this, however traffic from this network is still reaching my > mail server. I want to block EVERYTHING from that network as they are > sending porn mail to my clients. > > Thanks, > > -Scott > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
Ok, I have a spam place this morning trying multiple servers to get into my mail server: 216.95.201.18, 216.95.201.31, etc. Let's say I want to block him totally at the mail server using iptables before he gets to Sendmail. I would do: iptables -A FORWARD 216.95.201.0/24 -p tcp --dport 25 -j DROP Does that look right? Thank you, -Scott At 12:48 AM 3/2/2003 -0600, you wrote: 209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get 209.8.0.0 - 209.8.255.255 Is iptables running on your firewall, with the mail server behind it, or on your mail server? If the former, you might need to add this on the FORWARD chain, not INPUT. Keep in mind that you're blocking all services with that statement. add -p tcp --dport 25 to just block smtp. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Sun, 2 Mar 2003, . wrote: > 209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get > 209.8.0.0 - 209.8.255.255 That is what I put in, yet this spammer still got through to Sendmail. > Is iptables running on your firewall, with the mail server behind it, or > on your mail server? If the former, you might need to add this on the > FORWARD chain, not INPUT. I have iptables on the mail server, so I should be using the forward command instead of input to block them? I am trying to block them at that particular machine. > Keep in mind that you're blocking all services with that statement. add > -p tcp --dport 25 to just block smtp. Yes, I guess I should just block them at smtp and not everything. -Scott Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Sat, 1 Mar 2003, Dave Laird wrote: > iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything* > from 209.82.110.x, regardless of the the fourth digits in the network > address. Unless I've gotten it backwards again (it's past my bedtime) 24 only > drops the 0 of your address, which might possibly be the gateway, depending > upon how they have configured their system. So I would use /16 for a Class C network? > I use the firewall to block undesirable IP's as needed, and it has proven, > time and again, to substantially reduce my spam loads. Also, if you want more > targets, go to http://www.iana.org/assignments/ipv4-address-space and look > up the IP blocks assigned to the primary sources of most pornographic spam. > Then block them by country. You'd be surprised at how spam levels will drop. I am blocking now at the Sendmail level using access lists and I get the lists based on email that makes it past SpamAssassin, I read the headers and go block. Most of my customers can deal with the printer ads, but it is the porn that bothers them most, especially when they have kids. -Scott Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Sat, 1 Mar 2003, tarvid wrote: > I do this at the border gateway for bulk mailers that present a heavy load to > my postfix mail server. The owner of the company is against blocking at the router so I am trying to do it on the mail server. > I use spamcop and a local RBL to catch some more. Similar here, I am using Spam Assassin and some custom access rules in Sendmail, but the problem is the amount of time that Sendmail spends rejecting this email so I was hoping to block them with iptables and take some load off Sendmail. -Scott Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Good evening... On Saturday 01 March 2003 10:48 pm, . wrote: > 209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get > 209.8.0.0 - 209.8.255.255 > > Is iptables running on your firewall, with the mail server behind it, or > on your mail server? If the former, you might need to add this on the > FORWARD chain, not INPUT. It figures I would get it backwards by typing without double checking. The firewall is on the mail server, hence I didn't mention the FORWARD statement, however, that's a good point, too. Thanks. Now I'm going to bed. Dave - -- Dave Laird ([EMAIL PROTECTED]) The Used Kharma Lot / The Phoenix Project Web Page: http://www.kharma.net updated 01/20/2003 Usenet News server: news.kharma.net Musicians Calendar and Database access: http://www.kharma.net/calendar.html An automatic & random thought For the Minute: When you don't know what you are doing, do it neatly. Q: What lies on the bottom of the ocean and twitches? A: A nervous wreck. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Yas4aE1ENZP1A28RAjvWAJ9t2NhzpdTvNZDP9Skg/Leazm6WXACgtQuW L0wXx6wBVB49LvsHowoixZ0= =Amjf -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get 209.8.0.0 - 209.8.255.255 Is iptables running on your firewall, with the mail server behind it, or on your mail server? If the former, you might need to add this on the FORWARD chain, not INPUT. Keep in mind that you're blocking all services with that statement. add -p tcp --dport 25 to just block smtp. Dave Laird wrote: Good evening, On Saturday 01 March 2003 07:09 pm, Scott St. John wrote: My question would be 1)Is that practical 2)Is the proper way to block an entire network this: iptables -A INPUT -s 209.8.161.0/24 -j DROP I added this, however traffic from this network is still reaching my mail server. I want to block EVERYTHING from that network as they are sending porn mail to my clients. iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything* from 209.82.110.x, regardless of the the fourth digits in the network address. Unless I've gotten it backwards again (it's past my bedtime) 24 only drops the 0 of your address, which might possibly be the gateway, depending upon how they have configured their system. I use the firewall to block undesirable IP's as needed, and it has proven, time and again, to substantially reduce my spam loads. Also, if you want more targets, go to http://www.iana.org/assignments/ipv4-address-space and look up the IP blocks assigned to the primary sources of most pornographic spam. Then block them by country. You'd be surprised at how spam levels will drop. Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Good evening, On Saturday 01 March 2003 07:09 pm, Scott St. John wrote: > My question would be 1)Is that practical 2)Is the proper way to block an > entire network this: > > iptables -A INPUT -s 209.8.161.0/24 -j DROP > > I added this, however traffic from this network is still reaching my mail > server. I want to block EVERYTHING from that network as they are sending > porn mail to my clients. iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything* from 209.82.110.x, regardless of the the fourth digits in the network address. Unless I've gotten it backwards again (it's past my bedtime) 24 only drops the 0 of your address, which might possibly be the gateway, depending upon how they have configured their system. I use the firewall to block undesirable IP's as needed, and it has proven, time and again, to substantially reduce my spam loads. Also, if you want more targets, go to http://www.iana.org/assignments/ipv4-address-space and look up the IP blocks assigned to the primary sources of most pornographic spam. Then block them by country. You'd be surprised at how spam levels will drop. Dave - -- Dave Laird ([EMAIL PROTECTED]) The Used Kharma Lot / The Phoenix Project Web Page: http://www.kharma.net updated 01/20/2003 Usenet News server: news.kharma.net Musicians Calendar and Database access: http://www.kharma.net/calendar.html An automatic & random thought For the Minute: He asked me if I knew what time it was -- I said yes, but not right now. -- Steven Wright -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Yaa4aE1ENZP1A28RAgtLAKCzyc9kduGt7GT7Uqczdh64w3KcRACgvwCS zgXZN1S9BSQzRNCT/f9d2ns= =CGbQ -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] iptables to block spam
On Saturday 01 March 2003 10:09 pm, Scott St. John wrote: > Until I can migrate my clients over to Postfix I have been using the > access lists in Sendmail to block certain repeat spammers. I am wondering > if I could just use iptables to block them and take the load off Sendmail? > > My question would be 1)Is that practical 2)Is the proper way to block an > entire network this: > > iptables -A INPUT -s 209.8.161.0/24 -j DROP > > I added this, however traffic from this network is still reaching my mail > server. I want to block EVERYTHING from that network as they are sending > porn mail to my clients. > > Thanks, > > -Scott I do this at the border gateway for bulk mailers that present a heavy load to my postfix mail server. I use spamcop and a local RBL to catch some more. I also use RAV ($) which does a pretty good job at viruses and spam at the back end. jim tarvid Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com