Thank you for replying. I was looking to block traffic to my port 25 (gateway device) from a list of CIDRs that I obtained from arin, apnic, ripe, lacnic & afrinic. I don't think my idea will work as it appears the sending host continually retries sending the message with just a -j DROP in my iptables. I guess I need to send a 553 message so it stops trying. But I'd still like to know why it's not blocking. Here is my iptables -nL: Chain INPUT (policy DROP) target prot opt source destination DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 172.13.57.1 172.13.57.102 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 192.168.13.2 192.168.13.1 tcp spt:25 ACCEPT tcp -- 192.168.13.0/24 192.168.13.1 tcp spts:1024:65535 dpt:8100 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:2703 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:24441 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:24441 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:32771 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6277 ACCEPT tcp -- 0.0.0.0/0 172.13.57.102 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 192.168.13.1 tcp dpt:22 ACCEPT tcp -- 24.12.195.186 172.13.57.102 tcp dpt:1241 ACCEPT tcp -- 172.13.57.102 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 192.168.13.0/24 192.168.13.1 tcp spts:1024:65535 dpt:3128 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 206.141.192.60 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 206.141.192.60 udp spt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 ACCEPT udp -- 192.168.13.0/24 0.0.0.0/0 udp dpt:53 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source SMALL udp -- 0.0.0.0/0 0.0.0.0/0 length 0:27 recent: SET name: DEFAULT side: source SMALL udp -- 0.0.0.0/0 0.0.0.0/0 length 0:39 recent: SET name: DEFAULT side: source SMALL icmp -- 0.0.0.0/0 0.0.0.0/0 length 0:31 recent: SET name: DEFAULT side: source SMALL 30 -- 0.0.0.0/0 0.0.0.0/0 length 0:31 recent: SET name: DEFAULT side: source SMALL 47 -- 0.0.0.0/0 0.0.0.0/0 length 0:39 recent: SET name: DEFAULT side: source SMALL esp -- 0.0.0.0/0 0.0.0.0/0 length 0:49 recent: SET name: DEFAULT side: source SMALL ah -- 0.0.0.0/0 0.0.0.0/0 length 0:35 recent: SET name: DEFAULT side: source SMALL all -- 0.0.0.0/0 0.0.0.0/0 length 0:19 recent: SET name: DEFAULT side: source BOGUS all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID SYN-FLOOD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 ctstate NEW LOG flags 0 level 4 prefix `Reset Spoof TWH ' REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 ctstate NEW reject-with tcp-reset LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix `New not syn: ' DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW ANTI_SPOOF all -- !192.168.13.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED OFFENDER all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 name: DEFAULT side: source DROP all -- 172.13.57.1 224.0.0.1 FINAL_DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 recent: SET name: DEFAULT side: source PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source BOGUS all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID SYN-FLOOD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 ctstate NEW LOG flags 0 level 4 prefix `Reset Spoof TWH ' REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 ctstate NEW reject-with tcp-reset LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix `New not syn: ' DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW ALLOWED_OUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED OFFENDER all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 name: DEFAULT side: source FINAL_DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP) target prot opt source destination DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 172.13.57.102 172.13.57.1 ACCEPT tcp -- 192.168.13.1 192.168.13.2 tcp dpt:25 ACCEPT tcp -- 172.13.57.102 0.0.0.0/0 tcp spts:1025:65535 dpt:25 ACCEPT tcp -- 192.168.13.2 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8100 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:24441 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:24441 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:32771 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:32771 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:1241 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 172.13.57.102 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 206.141.192.60 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 192.168.13.1 192.168.13.0/24 tcp spt:3128 BOGUS all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ALLOWED_OUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED FINAL_DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ALLOWED_OUT (2 references) target prot opt source destination RETURN all -- 172.13.57.102 0.0.0.0/0 RETURN all -- 192.168.13.0/24 0.0.0.0/0 Chain ANTI_SPOOF (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `Spoofing DENY: ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain BLOCKEDSMTP (0 references) target prot opt source destination Chain BOGUS (3 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `INVALID PACKET DROP ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FINAL_DROP (3 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `FINAL DROP ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OFFENDER (2 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `OFFENDER -- SHUN ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain PORTSCAN (15 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `PORTSCAN -- SHUN ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain SMALL (8 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `SMALL -- SHUN ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain SYN-FLOOD (2 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 4 prefix `SYN-FLOOD ' DROP all -- 0.0.0.0/0 0.0.0.0/0 -----Original Message----- From: Jozsef Kadlecsik [mailto:kadlec@xxxxxxxxxxxxxxxxx] Sent: Wednesday, March 15, 2006 10:40 AM To: Thomas Raef Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: ipset not blocking On Wed, 15 Mar 2006, Thomas Raef wrote: > I'm using ipset 2.2.8 version 2 > Iptables v1.3.4 > Kernel 2.6.15 > > If I change the iptables to the INPUT chain it blocks, but more than > just dst port 25, it blocks everything. Could you post more details? What is it you actually want to do? To protect a mail server behind a firewall, or it is the mail server itself where you want to setup iptables/ipset? Please send the output of 'iptables -nL' as well. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
