IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.76 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-31
[17:19]<jjxggdq1|wjzc>http://www.rafb.net/paste/results/oltZIZ22.nln.html
[17:21]<vyrn-vnzsr>Johnny23|work: I take it this isn't the same box you were working on a week or two back?
[17:22]<jjxggdq1|wjzc>vice-versa: nope, this is the server itself, I was working on a test box previously
[17:24]<vyrn-vnzsr>Johnny23|work: try the INPUT 139 445 tcp rules without -m state --state NEW
[17:26]<fggyw|wjzc>vice-versa, centos and me aren't friendly... I can't tell whether the kernel has it ip_nat installed
[17:28]<fggyw|wjzc>http://www.rafb.net/paste/results/fxBGdz83.html is my kernel config
[17:30]<vyrn-vnzsr>CONFIG_IP_NF_NAT=m
[17:32]<vyrn-vnzsr>so yes, modprobe iptable_nat
[17:34]<fggyw|wjzc>vice-versa, I did, no joy
[17:34]<fggyw|wjzc>I'm using CentOS kernel 2.6.9-34.0.2.ELsmp
[17:35]<vyrn-vnzsr>lsmod show it at all now?
[17:35]<fggyw|wjzc>is there perhaps a script problem?
[17:35]<jjxggdq1|wjzc>vice-versa: same error, new paste of iptables-save -c: http://www.rafb.net/paste/results/c5iMeJ24.nln.html
[17:36]<fggyw|wjzc>vice-versa, it shows when I load it...
[17:36]<fggyw|wjzc>... then when I try to start iptables it disappears
[17:37]<vyrn-vnzsr>modprob it again and try that one rule from the cli
[17:37]<fggyw|wjzc>vice-versa, so, basically... remove the rule from my config... start up iptables, and let it fly? :)
[17:38]<fggyw|wjzc>ok... when I remove the rule from my config file I have iptable_nat, ipt_LOG, ipt_state, ip_conntrack, iptable_filter and ip_tables
[17:39]<fggyw|wjzc>then typing this command at the command prompt, I don't receive an error...
[17:39]<fggyw|wjzc>[root@portal sysconfig]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j DNAT --to 172.16.0.78:110
[17:39]<vyrn-vnzsr>try the rule from the cli now
[17:40]<fggyw|wjzc>how do I check to see if the rule is indeed running
[17:40]<vyrn-vnzsr>ok, iptables -t nat -nvL
[17:41]<fggyw|wjzc>one prerouting chain shows
[17:41]<fggyw|wjzc>the one I specified
[17:42]<fggyw|wjzc> 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.16.0.78:110
[17:43]<vyrn-vnzsr>Fenix|work: try connection to 110 from another box now
[17:45]<vyrn-vnzsr>Johnny23|work: what makes you think this is firewall related? does it work with no firewall?
[17:46]<fggyw|wjzc>vice-versa, my connection seems to time out
[17:46]<fggyw|wjzc>but I'm not getting a connection refused error
[17:46]<vyrn-vnzsr>how are you testing?
[17:47]<vyrn-vnzsr>check again iptables -t nat -nvL packet counters increase?
[17:47]<fggyw|wjzc>with thunderbird, and at a command prompt
[17:47]<fggyw|wjzc>vice-versa, yes...
[17:47]<fggyw|wjzc>5 packets... 240 bytes
[17:48]<fggyw|wjzc>is it possible, the connection isn't coming back?
[17:48]<fggyw|wjzc>do I need to set up a postrouting rule?
[17:49]<vyrn-vnzsr>Fenix|work: yes
[17:50]<fggyw|wjzc>iptables -t nat -A POSTROUTING -p tcp -o eth0 -dport 110 -j SNAT -from 172.16.0.78:110 ?
[17:51]<jjxggdq1|wjzc>vice-versa: has worked with no firewall for well over 6 months
[17:51]<vyrn-vnzsr>Johnny23|work: aye
[17:51]<jjxggdq1|wjzc>vice-versa: just started happening after I put the firewall up
[17:52]<jjxggdq1|wjzc>vice-versa: just double checked by stopping iptables, works fine
[17:52]<vyrn-vnzsr>Fenix|work: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.16.0.78:110
[17:53]<vyrn-vnzsr>Johnny23|work: try logging the packets before dropping them to see what's going on
[17:55]<fggyw|wjzc>vice-versa, 1 packet in... 1 packet out
[17:56]<fggyw|wjzc>but I'm timing out, I can't download mail
[17:57]<vyrn-vnzsr>Fenix|work: is there http daemon on the hosting box too?
[17:58]<fggyw|wjzc>yes
[17:58]<vyrn-vnzsr>try working with that first then
[17:59]<vyrn-vnzsr>iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 172.16.0.78:80
[18:04]<fggyw|wjzc>vice-versa, I have a reverse proxy set up on this box... can't use port 80 through it
[18:10]<fggyw|wjzc>vice-versa, question ... the last rule... the postrouting rule ... why is the to-source going back to the mail server?
[18:10]<fggyw|wjzc>shouldn't it be going out into the internet?
[18:10]<fggyw|wjzc>shouldn't the source be from the mail server?
[18:12]<cyvvjgyrg>hi all, anyone around?
[18:12]<cyvvjgyrg>I've got a major problem and I really hope someone can help me here. We are receiving a massive amount of e-mail all of a sudden (over the past 3 days) that is literally taking down our mail server(s). I've tried switching the routing of the incoming mail to another backup mail server and immediately that one starts locking up (and these are powerful machines). What is happeneing after looking at the log files is that a massive
[18:12]<cyvvjgyrg>amount of messages are pouring in and all of them are trojan viruses. I've temporarily switched the ip address on our router so that incoming mail gets sent to an ip addy that doesn't exist on our LAN but as of right now (and for the last 3 days) we can't check our mail, receive mail, send mail, or do anything mail related at the moment (in fact, if the messages are coming in you have to wait a few minutes after typing something
[18:12]<cyvvjgyrg> for the server to respond and start to initiate the command). What do I do?
[18:13]<cyvvjgyrg>Is there a way to find out where this is coming from and somehow block it from getting through on our router box (we're running iptables/ipfilter on a debian box)
[18:14]<rlraxne>check the connection logs
[18:14]<rlraxne>if its just one ip which is trying to flood you or which ips are involved in this
[18:14]<vyrn-vnzsr>Fenix|work: yes, sorry I don't know you're layout there...this went from how do I write this rule to where it is now with only a vague idea of what's on your end
[18:14]<rlraxne>and then nullroute those
[18:14]<cyvvjgyrg>where would those be? I've never had an issue like this before
[18:14]<fggyw|wjzc>vice-versa, that's my bad :)
[18:14]<rlraxne>another way is to put a screening smtp in front of your real smtp
[18:14]<rlraxne>that smtp will just verifiy the emails for spam and drop them
[18:14]<rlraxne>and then forward real emails to your smtp
[18:15]<fggyw|wjzc>basically ... I want this. Client <--> gateway <--> mail server ... then back out
[18:15]<cyvvjgyrg>I've got spamassassin and clamd running on our mail servers already.
[18:15]<rlraxne>so whats the problem ? :P
[18:15]<cyvvjgyrg>within 20 seconds it gets to the point where all the memory and cpu is being used up trying to check all this incoming mail
[18:15]<rlraxne>are you using latest versions ?
[18:15]<cyvvjgyrg>so I can't do anything on those servers and they start locking up
[18:15]<rlraxne>clamd has had some bugs
[18:16]<cyvvjgyrg>yes I am using the latest versions
[18:16]<cyvvjgyrg>and there has never been an issue until 3 days ago when this blast started
[18:16]<rlraxne>and those smtp do they forward email to internal smtp
[18:16]<rlraxne>which emails are being adressed ?
[18:16]<cyvvjgyrg>they scan each incoming msg and then either deliver or delete based on the results
[18:17]<fggyw|wjzc>vice-versa, mind if I open a window with you for a moment?
[18:17]<rlraxne>kittonian: ok so its internet <-> smtp <-> internal smtp ?
[18:17]<vyrn-vnzsr>Fenix|work: join #vice-versa
[18:18]<cyvvjgyrg>it's internet <-> routerbox <-> mail server running spamd/clamd/qmail
[18:18]<rlraxne>ok so you dont have any internal mailserver ?
[18:18]<rlraxne>otherwise its often better to have an outer smtp which will perform the virus and spam checks and then deliver to internal smtpserver
[18:18]<rlraxne>this way it wont have to take care of internal clients
[18:19]<rlraxne>but i would suggest you to dig into the logs and see which ip or against which mailboxes this flood occurs against
[18:19]<rlraxne>and then block the ip in the router and mailbox in the outer smtpserver
[18:20]<cyvvjgyrg>we just have 1 main mailserver
[18:20]<rlraxne>then setup a second box ? :P
[18:20]<cyvvjgyrg>i don't have an additional box to setup like that
[18:20]<rlraxne>then you should speak with your boss to setup a better design to handle such load
[18:21]<cyvvjgyrg>i am the boss, owner, and sole sysadmin here
[18:21]<cyvvjgyrg>this is a small business
[18:21]<rlraxne>usually you use internet <-> router <-> outer smtp (filter spam and virus) <-> internal smtp (will just handle mailboxes and its clients)
[18:21]<rlraxne>if you use internet <-> router <-> mailserver then the server will have to do many things which might overload it
[18:22]<rlraxne>specially if you have like 100-1000 or more clients hooked up to it
[18:22]<rlraxne>also the risk of being compromised
