Dear all,
I would like to consult with you some iptables rule, which, in my opinion was sufficient for my needs, but it looks like I am making somewhere a mistake.
So I would like to log every outgoing SMTP connection from my server. What is more, I would like to log only those connections, which exceed 40 per minute limit. That is why I put following two lines into my iptables:
/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --set
/sbin/iptables -I OUTPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "Out. SMTP con LIMIT: " --log-level 4
Unfortunately it doesn't work as I expected. I am testing it by performing following for loop from my server:
for i in {1..200} ; do echo "QUIT" | nc mailserver 25 ; done
Whole loop is finishing in around 30 seconds, so, in my opinion, there is more than 40 new outgoing SMTP connections from my server. Unfortunately, nothing is printed in log file.
BTW, I've changed syslog configuration file, so kern.warning logs are going to separate log file, so this is not an issue here.
What is more interesting, when I change hitcount value to 5, it suddenly starting to log all connections which exceed limits.
Where I am making a mistake?
Thank you in advance for any constructive tip.
Best Regards
--
Piotr Pawlowski
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
