using iptables to block attacks on SMTP server

Hi there,

I tried to use iptables to block too many connections to a SMTP server runs on a virtual machine on Suse.

For any reason non of my tries was successful

I have a small dedicated network for my virtual machines and want to limit the requests per second from one source IP

I tried

iptables -I INPUT -p tcp --destination mailserver IP --dport 25 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --destination mailserver IP --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

As far I understand this should limit the SMTP requests to 20/minute from the same source IP but when I tested it, it did not had any effects (could open more than 20 connections at the same time)

I also tries FORWARD instead of INPUT but also did not work

Also I failed to activate logging for this command

Does anybody knows how to configure it in the right way?

Thanks

Look at the whole picture :


#iptables -nvL 

Maybe your rule isn’t inserted where you want it to.

This seems to work or the attacks just stopped :

iptables -I FORWARD -p tcp --destination <mailserver IP> --dport 25 -m state --state NEW -m recent --set --name MAIL --rsource
iptables -I FORWARD -p tcp --destination <mailserver IP> --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name MAIL --rsource -j DROP

Still would like to log the drops but no idea how

Use :


iptables -I FORWARD -p tcp --destination <mailserver IP> --dport  25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20  --name MAIL --rsource -j LOG

Just before the drop rule. Please use code tags when applicable :slight_smile:
http://forums.opensuse.org/english/get-technical-help-here/how-faq-forums/advanced-how-faq-read-only/451526-posting-code-tags-guide.html