Georgi Alexandrov wrote:
Georgi Alexandrov wrote:
Lucky Leavell wrote:
OS: SuSE 9.3 Pro
I work with a small ISP and we are encountering with increasing
frequency Windows machines which have been compromised and
apparently being used as spambots based on their attempted
connection to port 25 of foreign hosts instead on using our mail
server for outgoing mail.
With allowance for legitimate exceptions, could we simply disallow
port 25 connections from within our networks to any but our mail
servers?
Yes, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d !
$our_mail_server_ip_addr --dport 25 -j DROP
Or, if you have multiple mail servers, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP
Or, you can DNAT all requests to port 25/tcp to your server, like that:
iptables -t nat -A PREROUTING -p tcp -s $our_networks --dport 25 -j DNAT
--to $our_mail_server
(We run all outgoing -as well as incoming- mail thru
amavis/clamav/spamassassin.)
Any other thoughts or links to resources?
Thank you,
Lucky
regards,
Georgi Alexandrov
