Re: [expert] iptables to block spam

[Scott St. John]

At 03:57 PM 3/3/2003 -0800, you wrote:
> iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
> I logged out and then tried to ssh back in and I was in just fine!  Tried
> to reach the web site
> and again, no trouble.  I then switched to this:
Most likely, something before it is allowing it.  I suggest that you
change "-A" to "-I" to make it insert the rule at the beginning of the
INPUT chain instead of appending it to the end of the chain.
Oh that is IT!  Thank you!  With Bastille running I could not use -A, had
to use -I.  Of course I went to flush the rules with -F and made my machine
disappear from the network and had to reboot it this morning :(
Thanks Todd.

-Scott

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Tue, 04 Mar 2003 07:28:40 -0500 Mark Weaver
<[EMAIL PROTECTED]> wrote:

> Pierre Fortin wrote:
> > On Sun, 02 Mar 2003 17:45:12 -0500 Mark Weaver
> > <[EMAIL PROTECTED]> wrote:
> > 
> > 
> >>Scott St. John wrote:
> >>
> >>>Until I can migrate my clients over to Postfix I have been using the 
> >>>access lists in Sendmail to block certain repeat spammers.  I am
> >>>wondering if I could just use iptables to block them and take the
> >load>>off Sendmail?
> >>>
> >>>My question would be 1)Is that practical 2)Is the proper way to block
> >>>an entire network this:
> >>>
> >>>iptables -A INPUT -s 209.8.161.0/24 -j DROP
> >>>
> >>>I added this, however traffic from this network is still reaching my
> >>>mail server.  I want to block EVERYTHING from that network as they
> >are>>sending porn mail to my clients.
> >>>
> >>>Thanks,
> >>>
> >>>-Scott
> >>
> >>Scott,
> >>
> >>this method will work, but if you want to block the entire network
> >where>the junk comes from then you'll have to block the entire netblock
> >and>not just that part of it.
> >>
> >>iptables -A INPUT -s 209.0.0.0 -j DROP
> > 
> >^
> > Mark, this is a single address...  to drop the entire block, you need
> > a netmask:
> > either 209.0.0.0/8 or 209.0.0.0/255.0.0.0
> 
> Hi Pierre,
> 
> Interestingly enough I ran a simple test on my firewall that Scott was 
> attempting to use:
> 
>   iptables -A INPUT -p tcp -s 205.216.60.167 --dport 22 -j DROP

Did you verify with?:  iptables -L -v -n

# iptables -L -v -n
Chain INPUT (policy ACCEPT 775K packets, 529M bytes)
 pkts bytes target prot opt in out source  
destination
0 0 DROP   tcp  --  *  *   205.216.60.167  
0.0.0.0/0  tcp dpt:22

I did a similar test the other day and it worked as indicated in a
previous post...


> And you know what I found? the blasted thing was ignored and I got right
> 
> in! That really knoted my shorts for even when I appended the netmask in
> 
> long and short forms to the --source address,
> (-s 205.216.60.167/255.255.255.0 ) I got the same results. I was still 
> able to get right in. I shouldn't have been able to do that; I shouldn't
> 
> have been able to connect at all from the machine I was attempting to 
> connect from. What's up with that? what am I missing here?
> 

Again, seeing your iptables would be useful...

Pierre

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Mon, 3 Mar 2003 21:55:55 -0800 Todd Lyons <[EMAIL PROTECTED]>
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Pierre Fortin wrote on Mon, Mar 03, 2003 at 08:54:40PM -0500 :
> > > > 
> > > > So I would use /16 for a Class C network?
> > > Not quite:
> > > /8 is Class A
> > > /16 is Class B
> > > /24 is Class C
> > Not quite:)
> >   0...    is Class A
> >   10..    is Class B
> >   110.    is Class C
> >   1110    is Class D (multicast)
> >       is Class E (reserved)
> 
> He's asking about what /16 is, and you're talking about classful
> delegations.  I don't think you're answering the question he asked.
> However, enlighten me if I'm wrong.
> 
> > But, nowadays, Classes are mainly historical...
> 
> In reference to the IP block, yes.  But if he wants to block everything
> from 69.2.33.*, he will use a class C mask, regardless of the fact that
> the 69.0.0.0 network is historically a Class A.

Todd, 

I know you are pretty much up on this subject, hence the small smiley in
my post...  but it always helps to give people something to think on 
in that vein, expounding some more for those who are still unsure about
this stuff...

Scott actually asked about 209.8.161.0/24 which was a Class C in the old
days...  the "problem" is that people still insist on [mis]using the Class
[ABC] designators...  it makes more sense to use /0-/32, which is NOT
restricted to /8, /16, /24 and /32 and forget the Class X.

So, Scott and others should really think in terms of how many 2^N
addresses to block, determine the appropriate mask to do that...  there is
a down-side though...  it also means that people really need to learn how
to determine the proper MATCH address that will result from using a mask
that is not one of the traditional Class masks.  For instance (including
*cast addresses):
 209.8.161.0/24 blocks 209.8.161.0--209.8.161.255
 209.8.160.0/24 blocks 209.8.160.0--209.8.160.255
 209.8.160.0/23 blocks 209.8.160.0--209.8.161.255 (=above 2 ranges)
 209.8.160.0/25 blocks 209.8.160.0--209.8.160.128

Note that 209.8.160.0/19 would block more addresses above & below the /23
example above while using the *same* (209.8.160.0) match address...  this
is because 160 is coincidentally a nice binary number (0xA0) with plenty
of trailing 0s.  However, specifying 209.8.161.0/16 as Scott asked *may*
not work (depends on software which reads/uses it) because after the /16
mask is applied, the address to compare against 209.8.160.0 would be
209.8.0.0 -- not a match!  Though iptables does the Right Thing (using my
drop script):
# drop 1.2.3.4/16 all 
   ^^  wrong!  yet...
# iptables -L -v -n
Chain INPUT (policy ACCEPT 764K packets, 520M bytes)
 pkts bytes target prot opt in out source  
destination
0 0 DROP   all  --  *  *   1.2.0.0/16  
0.0.0.0/0
   ^^
It's a Good Thing to understand what goes on...

When building match_address/mask pairs, one must be very careful that they
are a *matched* pair; after all, specifying address/mask in a config file
is not guaranteed to be corrected, as in iptables...  there are "subnet
calculators" available online to help with this...  YIKES!  A quick search
on google for "subnet calculator" gives 32,800 links -- BUT...  there are
many for sale, some for free download, and others online... 
unfortunately, I had to get to the 19th link (http://jodies.de/ipcalc)**
before I found one online (it's downloadable too) that is remotely helpful
for the novice in explaining the above address/mask pairing issue...

** enter say 209.8.161.1 and 23 and note the binary representations
returned...

Oh well...  hope I made the point that giving a /N answer is less than
helpful for many folk who most likely don't yet understand that the
*resulting* match address, after masking, is what belongs in this
address/mask pair.

HTH,
Pierre


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pierre Fortin wrote on Mon, Mar 03, 2003 at 08:54:40PM -0500 :
> > > 
> > > So I would use /16 for a Class C network?
> > Not quite:
> > /8 is Class A
> > /16 is Class B
> > /24 is Class C
> Not quite:)
>   0...    is Class A
>   10..    is Class B
>   110.    is Class C
>   1110    is Class D (multicast)
>       is Class E (reserved)

He's asking about what /16 is, and you're talking about classful
delegations.  I don't think you're answering the question he asked.
However, enlighten me if I'm wrong.

> But, nowadays, Classes are mainly historical...

In reference to the IP block, yes.  But if he wants to block everything
from 69.2.33.*, he will use a class C mask, regardless of the fact that
the 69.0.0.0 network is historically a Class A.

Blue skies...   Todd
- -- 
  Todd Lyons -- MandrakeSoft, Inc.   http://www.mandrakesoft.com/
UNIX was not designed to stop you from doing stupid things, because 
  that would also stop you from doing clever things. -- Doug Gwyn
  Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ZD/rlp7v05cW2woRAhk/AJ0Wy6iZ1cQ4u7OBGw9ZQEGmQ8TF1ACePFE8
IY1owKi43a/k+o2RHb0HagA=
=Me8E
-END PGP SIGNATURE-

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Mon, 3 Mar 2003 15:55:37 -0800 Todd Lyons <[EMAIL PROTECTED]>
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Scott St. John wrote on Sun, Mar 02, 2003 at 09:19:04AM -0500 :
> > 
> > So I would use /16 for a Class C network?
> 
> Not quite:
> /8 is Class A
> /16 is Class B
> /24 is Class C

Not quite:)
  0...    is Class A
  10..    is Class B
  110.    is Class C
  1110    is Class D (multicast)
      is Class E (reserved)

The leading bits were then used to indicate the Class' mask:
0 --> /8
10 --> /16
110 --> /24

If the leading bits were not taken into consideration, 224.0.0.x might be
misconstrued for a Class C instead of the Class D multicast that it really
is...

But, nowadays, Classes are mainly historical...
 

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott St. John wrote on Mon, Mar 03, 2003 at 08:38:28AM -0500 :

> iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
> I logged out and then tried to ssh back in and I was in just fine!  Tried 
> to reach the web site
> and again, no trouble.  I then switched to this:

Most likely, something before it is allowing it.  I suggest that you
change "-A" to "-I" to make it insert the rule at the beginning of the
INPUT chain instead of appending it to the end of the chain.

Blue skies...   Todd
- -- 
...and I will strike down upon thee with great vengeance and furious
 anger, those who attempt to poison and destroy my binaries, and you 
will know my name is root, when I lay my vengeance upon thee.
  Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Y+wGlp7v05cW2woRAkA5AJ9wWSmejYrMkg0ZQD0PvcMGgtol7wCfdvkI
4EinkWckfqMuT4HRGrXH2Ds=
=HN6l
-END PGP SIGNATURE-

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott St. John wrote on Sun, Mar 02, 2003 at 09:19:04AM -0500 :
> 
> So I would use /16 for a Class C network?

Not quite:
/8 is Class A
/16 is Class B
/24 is Class C

Blue skies...   Todd
- -- 
Never take no as an answer from someone who's not authorized to say yes.
--Ben Reser on Cooker ML
  Mandrake Cooker Devel Version, Kernel 2.4.21-0.11mdk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Y+t5lp7v05cW2woRAqUfAJ9w5H+/MtG/weBU5KUFz+k5IkkmlQCeMws/
bOk/03V+6F+FyM7DYB7gOpM=
=0hC/
-END PGP SIGNATURE-

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

At 03:57 PM 3/3/2003 -0500, you wrote:
>If you want to block access to a specific service then just modify the 
rule to appear this way. Something I forgot to ask is how many nics are you 
using? you may also have to >specify the interface they're coming in on as 
well.
Ex:  iptables -A INPUT -p tcp --dport 25 -s 209.0.0.0 -j DROP
If you have two nics in the machine and your public interface, like mine 
is, eth1, then the rule would look like this:
 iptables -A INPUT -i eth1 -p tcp --dport 25 -s 209.0.0.0 -j DROP
Or, you could write like this provided you have two nics;
 iptables -A INPUT -i eth1 -s 209.0.0.0 -j DROP
Bastille's already existing rules shouldn't cancel out any additional 
rules you add to the firewall. That wouldn't exactly be a good thing.
Mark-

I have one interface on that machine and believe it or not I just copied 
the line above
for blocking port 25 except I replaced the IP address with another machine 
here and tested
it and it did NOT work.  So I shut down Bastille and tried it and I was 
blocked!  So something
in Bastille is preventing me from manually entering chains to block and 
that sucks :(  There
must be a way around that.

I guess I could try to duplicate the Bastille rules and make my own or 
figure out a way around
Bastille blocking me from manually entering my own rules.

-Scott

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Mark Weaver]

Scott St. John wrote:
Heh, call me the idiot!  It works *WHEN* I stop Bastille :)  I am 
guessing that
some rule in Bastille is over riding my iptables commands to allow the 
traffic!

So, now I have to figure out the rules that Bastille is putting in place 
and write
my own iptables script.

Thank you to everyone!

-Scott
Scott,

If you want to block access to a specific service then just modify the 
rule to appear this way. Something I forgot to ask is how many nics are 
you using? you may also have to specify the interface they're coming in 
on as well.

Ex:  iptables -A INPUT -p tcp --dport 25 -s 209.0.0.0 -j DROP

If you have two nics in the machine and your public interface, like mine 
is, eth1, then the rule would look like this:

 iptables -A INPUT -i eth1 -p tcp --dport 25 -s 209.0.0.0 -j DROP

Or, you could write like this provided you have two nics;

 iptables -A INPUT -i eth1 -s 209.0.0.0 -j DROP

Bastille's already existing rules shouldn't cancel out any additional 
rules you add to the firewall. That wouldn't exactly be a good thing.

--
Mark
---
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & 9.0

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

Heh, call me the idiot!  It works *WHEN* I stop Bastille :)  I am guessing that
some rule in Bastille is over riding my iptables commands to allow the traffic!
So, now I have to figure out the rules that Bastille is putting in place 
and write
my own iptables script.

Thank you to everyone!

-Scott

>his works for me...  are you applying the correct rule on the right host?
No need to log out/in...  ssh to a host, say 192.168.1.1, then:
  iptables -A INPUT -s 192.168.1.1 -j DROP
and the ssh connection should stop working.  Verify with"
  iptables -L -v -n
then re-enable with:
  iptables -F
and the ssh conection should resume...

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Mon, 03 Mar 2003 08:38:28 -0500 "Scott St. John" <[EMAIL PROTECTED]>
wrote:

> At 09:48 PM 3/2/2003 -0500, you wrote:
> > > > iptables -A INPUT -s 209.8.161.0/24 -j DROP
> 
> Ok, perhaps I am doing something wrong, I decided to test blocking my
> home connection
> to the server just to see if it would work.  Doing this:
> 
> iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

This works for me...  are you applying the correct rule on the right host?

You can leave off the "-j DROP" so see if the rule is being hit:
  iptables -A INPUT -s xxx.xxx.xxx.xxx
without actually affecting traffic.  If the counters aren't incrementing,
then you are using the wrong IP[/mask]; possibly on the wrong host.

> I logged out and then tried to ssh back in and I was in just fine! 
> Tried to reach the web site
> and again, no trouble.  I then switched to this:

No need to log out/in...  ssh to a host, say 192.168.1.1, then:
  iptables -A INPUT -s 192.168.1.1 -j DROP
and the ssh connection should stop working.  Verify with"
  iptables -L -v -n
then re-enable with:
  iptables -F
and the ssh conection should resume...

> iptables -A FORWARD -s xxx.xxx.xxx.xxx -j DROP
> 
> And again, I got in.  Must I block per service and missing something
> when issuing the
> command?

Cant' tell what you are actually doing and on what host without more info;
but it works for me...
 
> Thanks in advance.
> 
> -Scott
> 

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

At 09:48 PM 3/2/2003 -0500, you wrote:
> > iptables -A INPUT -s 209.8.161.0/24 -j DROP
Ok, perhaps I am doing something wrong, I decided to test blocking my home 
connection
to the server just to see if it would work.  Doing this:

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

I logged out and then tried to ssh back in and I was in just fine!  Tried 
to reach the web site
and again, no trouble.  I then switched to this:

iptables -A FORWARD -s xxx.xxx.xxx.xxx -j DROP

And again, I got in.  Must I block per service and missing something when 
issuing the
command?

Thanks in advance.

-Scott

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Sun, 02 Mar 2003 17:45:12 -0500 Mark Weaver
<[EMAIL PROTECTED]> wrote:

> Scott St. John wrote:
> > Until I can migrate my clients over to Postfix I have been using the 
> > access lists in Sendmail to block certain repeat spammers.  I am
> > wondering if I could just use iptables to block them and take the load
> > off Sendmail?
> > 
> > My question would be 1)Is that practical 2)Is the proper way to block
> > an entire network this:
> > 
> > iptables -A INPUT -s 209.8.161.0/24 -j DROP
> > 
> > I added this, however traffic from this network is still reaching my
> > mail server.  I want to block EVERYTHING from that network as they are
> > sending porn mail to my clients.
> > 
> > Thanks,
> > 
> > -Scott
> 
> Scott,
> 
> this method will work, but if you want to block the entire network where
> the junk comes from then you'll have to block the entire netblock and
> not just that part of it.
> 
> iptables -A INPUT -s 209.0.0.0 -j DROP
   ^
Mark, this is a single address...  to drop the entire block, you need a
netmask:
either 209.0.0.0/8 or 209.0.0.0/255.0.0.0


> This should definately take care of things.
> 

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Mark Weaver]

Scott St. John wrote:
Until I can migrate my clients over to Postfix I have been using the 
access lists in Sendmail to block certain repeat spammers.  I am wondering 
if I could just use iptables to block them and take the load off Sendmail?

My question would be 1)Is that practical 2)Is the proper way to block an 
entire network this:

iptables -A INPUT -s 209.8.161.0/24 -j DROP

I added this, however traffic from this network is still reaching my mail 
server.  I want to block EVERYTHING from that network as they are sending 
porn mail to my clients.

Thanks,

-Scott
Scott,

this method will work, but if you want to block the entire network where the 
junk comes from then you'll have to block the entire netblock and not just 
that part of it.

iptables -A INPUT -s 209.0.0.0 -j DROP

This should definately take care of things.

--
Mark
"If necessity is the mother of invention, then who's the father?"
---
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & 9.0
ICQ# 27816299

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Pierre Fortin]

On Sat, 1 Mar 2003 22:09:04 -0500 (EST) "Scott St. John"
<[EMAIL PROTECTED]> wrote:

> Until I can migrate my clients over to Postfix I have been using the 
> access lists in Sendmail to block certain repeat spammers.  I am
> wondering if I could just use iptables to block them and take the load
> off Sendmail?
> 
> My question would be
> 1)Is that practical

Sometimes...  it depends on the spam...  some jerks use IP address
spoofing which makes it impossible to block with iptables...  however, I'm
using a new tactic to combat the likes of cyberproxy.com...  I look up the
registered owner of the domain and set a sylpheed filter to auto-forward
the postfix reject notices to the registered owner/technical contact... 
so far, with some success...  even had cyberproxy people e-mail me and try
to claim innocence with some gibberish about knowing where the spoofed
addresses were really coming from... not them...  so why have they
subsided so much...?  :)

> 2)Is the proper way to block an entire network this:

Blocking addresses over time will be the least of your concerns;
re-blocking a long list of bad actors will test your patience...  in case
it helps, I have a simple (not very fancy but it works for me) script to
do this (http://pfortin.com/Linux/drop) -- I used to block a lot of
addresses (http://pfortin.com/Linux/iptablesDROPHIST); but I get daily
reports on which addresses are hitting and the worst are just a few:
Chain INPUT (policy ACCEPT 28M packets, 6119M bytes)
 pkts bytes target prot opt in out source  
destination 
6   288 DROP   tcp  --  *  *   210.0.0.0/8 
0.0.0.0/0  tcp dpt:25 
  122  5788 DROP   tcp  --  *  *   64.53.0.0/16
0.0.0.0/0  tcp dpt:80 
   60  2880 DROP   tcp  --  *  *   66.54.199.170   
0.0.0.0/0  tcp dpt:25 
  117  5616 DROP   all  --  *  *   211.154.65.253  
0.0.0.0/0  

Since I've been blocking spam for so long, the counts are much lower than
they used to be...

Using this info, I comment out many of the addresses in the history file
and reload iptables with the same script -- no sense adding performance
problems by trying to block most of the 'net...

In addition to blocking spammers, I block anyone who tries to use my
website as a relay and everything from anyone that shows up in my CodeRed,
Nimda, etc. traps. Not all of this is documented on my site; but some
is...  would have more time for this if I wasn't fighting 9.0 so much... 
:P

I use postfix to filter out most of the crap that iptables can't... 
(http://pfortin.com/Linux/PostFix/)

HTH,
Pierre (I *HATE* SPAMMERS!!!)

> iptables -A INPUT -s 209.8.161.0/24 -j DROP
> 
> I added this, however traffic from this network is still reaching my
> mail server.  I want to block EVERYTHING from that network as they are
> sending porn mail to my clients.
> 
> Thanks,
> 
> -Scott
> 
> 
> 

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

Ok, I have a spam place this morning trying multiple servers to get into my 
mail server:
216.95.201.18, 216.95.201.31, etc.  Let's say I want to block him totally 
at the mail server
using iptables before he gets to Sendmail.

I would do:

iptables -A FORWARD 216.95.201.0/24 -p tcp --dport 25 -j DROP

Does that look right?

Thank you,

-Scott



At 12:48 AM 3/2/2003 -0600, you wrote:



209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get 
209.8.0.0 - 209.8.255.255

Is iptables running on your firewall, with the mail server behind it, or 
on your mail server?  If the former, you might need to add this on the 
FORWARD chain, not INPUT.

Keep in mind that you're blocking all services with that statement.  add 
-p tcp --dport 25 to just block smtp.


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

On Sun, 2 Mar 2003, . wrote:
> 209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get 
> 209.8.0.0 - 209.8.255.255

That is what I put in, yet this spammer still got through to Sendmail.

> Is iptables running on your firewall, with the mail server behind it, or 
> on your mail server?  If the former, you might need to add this on the 
> FORWARD chain, not INPUT.

I have iptables on the mail server, so I should be using the forward 
command instead of input to block them?  I am trying to block them at that 
particular machine.

> Keep in mind that you're blocking all services with that statement.  add 
> -p tcp --dport 25 to just block smtp.

Yes, I guess I should just block them at smtp and not everything.

-Scott


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

On Sat, 1 Mar 2003, Dave Laird wrote:
> iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything*
> from 209.82.110.x, regardless of the the fourth digits in the network
> address. Unless I've gotten it backwards again (it's past my bedtime) 24 only
> drops the 0 of your address, which might possibly be the gateway, depending
> upon how they have configured their system. 

So I would use /16 for a Class C network?

> I use the firewall to block undesirable IP's as needed, and it has proven,
> time and again, to substantially reduce my spam loads. Also, if you want more
> targets, go to http://www.iana.org/assignments/ipv4-address-space  and look
> up the IP blocks assigned to the primary sources of most pornographic spam.
> Then block them by country. You'd be surprised at how spam levels will drop. 

I am blocking now at the Sendmail level using access lists and I get the 
lists based on email that makes it past SpamAssassin, I read the headers 
and go block.  Most of my customers can deal with the printer ads, but it 
is the porn that bothers them most, especially when they have kids.

-Scott


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Scott St. John]

On Sat, 1 Mar 2003, tarvid wrote:
> I do this at the border gateway for bulk mailers that present a heavy load to 
> my postfix mail server.

The owner of the company is against blocking at the router so I am trying 
to do it on the mail server.

> I use spamcop and a local RBL to catch some more.

Similar here, I am using Spam Assassin and some custom access rules in 
Sendmail, but the problem is the amount of time that Sendmail spends 
rejecting this email so I was hoping to block them with iptables and take 
some load off Sendmail.

-Scott


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Dave Laird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good evening...

On Saturday 01 March 2003 10:48 pm, . wrote:

> 209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get
> 209.8.0.0 - 209.8.255.255
>
> Is iptables running on your firewall, with the mail server behind it, or
> on your mail server?  If the former, you might need to add this on the
> FORWARD chain, not INPUT.

It figures I would get it backwards by typing without double checking.
 The firewall is on the mail server, hence I didn't mention
the FORWARD statement, however, that's a good point, too. Thanks. Now I'm
going to bed.  

Dave
- -- 
Dave Laird ([EMAIL PROTECTED])
The Used Kharma Lot / The Phoenix Project 
Web Page:   http://www.kharma.net updated 01/20/2003
Usenet News server: news.kharma.net
Musicians Calendar and Database access: http://www.kharma.net/calendar.html
   
An automatic & random thought For the Minute:
When you don't know what you are doing, do it neatly.
Q:  What lies on the bottom of the ocean and twitches?
A:  A nervous wreck.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+Yas4aE1ENZP1A28RAjvWAJ9t2NhzpdTvNZDP9Skg/Leazm6WXACgtQuW
L0wXx6wBVB49LvsHowoixZ0=
=Amjf
-END PGP SIGNATURE-


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[.]

209.8.161.0/24 will get 209.8.161.0 - 209.8.161.255. /16 will get 
209.8.0.0 - 209.8.255.255

Is iptables running on your firewall, with the mail server behind it, or 
on your mail server?  If the former, you might need to add this on the 
FORWARD chain, not INPUT.

Keep in mind that you're blocking all services with that statement.  add 
-p tcp --dport 25 to just block smtp.

Dave Laird wrote:
Good evening, 

On Saturday 01 March 2003 07:09 pm, Scott St. John wrote:


My question would be 1)Is that practical 2)Is the proper way to block an
entire network this:
iptables -A INPUT -s 209.8.161.0/24 -j DROP

I added this, however traffic from this network is still reaching my mail
server.  I want to block EVERYTHING from that network as they are sending
porn mail to my clients.


iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything*
from 209.82.110.x, regardless of the the fourth digits in the network
address. Unless I've gotten it backwards again (it's past my bedtime) 24 only
drops the 0 of your address, which might possibly be the gateway, depending
upon how they have configured their system. 

I use the firewall to block undesirable IP's as needed, and it has proven,
time and again, to substantially reduce my spam loads. Also, if you want more
targets, go to http://www.iana.org/assignments/ipv4-address-space  and look
up the IP blocks assigned to the primary sources of most pornographic spam.
Then block them by country. You'd be surprised at how spam levels will drop. 

Dave


Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[Dave Laird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good evening, 

On Saturday 01 March 2003 07:09 pm, Scott St. John wrote:

> My question would be 1)Is that practical 2)Is the proper way to block an
> entire network this:
>
> iptables -A INPUT -s 209.8.161.0/24 -j DROP
>
> I added this, however traffic from this network is still reaching my mail
> server.  I want to block EVERYTHING from that network as they are sending
> porn mail to my clients.

iptables -A INPUT -s 209.82.110.17/16 -j DROP will work to drop *everything*
from 209.82.110.x, regardless of the the fourth digits in the network
address. Unless I've gotten it backwards again (it's past my bedtime) 24 only
drops the 0 of your address, which might possibly be the gateway, depending
upon how they have configured their system. 

I use the firewall to block undesirable IP's as needed, and it has proven,
time and again, to substantially reduce my spam loads. Also, if you want more
targets, go to http://www.iana.org/assignments/ipv4-address-space  and look
up the IP blocks assigned to the primary sources of most pornographic spam.
Then block them by country. You'd be surprised at how spam levels will drop. 

Dave
- -- 
Dave Laird ([EMAIL PROTECTED])
The Used Kharma Lot / The Phoenix Project 
Web Page:   http://www.kharma.net updated 01/20/2003
Usenet News server: news.kharma.net
Musicians Calendar and Database access: http://www.kharma.net/calendar.html
   
An automatic & random thought For the Minute:
He asked me if I knew what time it was -- I said yes, but not right now.
-- Steven Wright
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+Yaa4aE1ENZP1A28RAgtLAKCzyc9kduGt7GT7Uqczdh64w3KcRACgvwCS
zgXZN1S9BSQzRNCT/f9d2ns=
=CGbQ
-END PGP SIGNATURE-


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [expert] iptables to block spam

[tarvid]

On Saturday 01 March 2003 10:09 pm, Scott St. John wrote:
> Until I can migrate my clients over to Postfix I have been using the
> access lists in Sendmail to block certain repeat spammers.  I am wondering
> if I could just use iptables to block them and take the load off Sendmail?
>
> My question would be 1)Is that practical 2)Is the proper way to block an
> entire network this:
>
> iptables -A INPUT -s 209.8.161.0/24 -j DROP
>
> I added this, however traffic from this network is still reaching my mail
> server.  I want to block EVERYTHING from that network as they are sending
> porn mail to my clients.
>
> Thanks,
>
> -Scott

I do this at the border gateway for bulk mailers that present a heavy load to 
my postfix mail server.

I use spamcop and a local RBL to catch some more.

I also use RAV ($) which does a pretty good job at viruses and spam at the 
back end.

jim tarvid


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com