Hi there anyone out there, desperate for help on this one, I?m really stuck after days of trying to figure this one out. I have set up 1.4.6a on RH9 successfully, all my rules are working exactly right, but I am not getting the DNAT one to work: My setup: Eth0 = 192.168.0.6 /eth1 = 10.100.1.4 (with norfc1918) Eth1 is connected to a Cisco 677, and on there I have configured all traffic incoming (110) to be going to the eth1 on fw. This seems to be working if you look at the logs. I want to forward all mail coming into the fw on port 110, to port 110 on 192.168.0.4 This is how I?ve done it: DNAT:info net loc:192.168.0.4 tcp 110 I can connect to the 110 port on 192.168.0.4 fine from within the network, so I know it works. However when testing it from outside my network this is the log: Sep 1 10:42:15 fw-2 kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUTMAC=00:10:4b:6c:a0:6f:00:02:fd:02:96:c9:08:00 SRC=217.164.172.77 DST=10.100.1.4 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=649 DF PROTO=TCP SPT=1084 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0 Sep 1 10:42:15 fw-2 kernel: Shorewall:logdrop:DROP:IN=eth1 OUT=eth0 SRC=217.164.172.77 DST=192.168.0.4 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=649 DF PROTO=TCP SPT=1084 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0 ** From this I gather that the Cisco is passing on the traffic to the fw, and it looks like DNAT is performed on it. But then it gets dropped when trying to send it on to the internal server. Why I have no idea, and admittedly my knowledge of IPTables is just not there yet. I have even tried to make an extra rule like this to see if it would make a difference, no go: ACCEPT:info net loc:192.168.0.4 tcp 110 If you want me to I can post all the other relevant files, but I have a strong suspicion I am missing the obvious or something similar. Would hugely appreciate any pointers.
On Sunday 31 August 2003 11:06 pm, Eug?ne van Rooyen wrote:> Sep 1 10:42:15 fw-2 kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT> MAC=00:10:4b:6c:a0:6f:00:02:fd:02:96:c9:08:00 SRC=217.164.172.77 > DST=10.100.1.4 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=649 DF PROTO=TCP > SPT=1084 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0 > > Sep 1 10:42:15 fw-2 kernel: Shorewall:logdrop:DROP:IN=eth1 OUT=eth0 > SRC=217.164.172.77 DST=192.168.0.4 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=649 > DF PROTO=TCP SPT=1084 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0 > > ACCEPT:info net loc:192.168.0.4 tcp 110 > > > > If you want me to I can post all the other relevant files, but I have a > strong suspicion I am missing the obvious or something similar. Would > hugely appreciate any pointers. >Try without norfc1918 ???? -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Monday 01 September 2003 04:11 am, John Andersen wrote:> > DF PROTO=TCP SPT=1084 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0 > > > > ACCEPT:info net loc:192.168.0.4 tcp 110try it like this DNAT net loc:192.168.0.4 tcp 110 Richard
Hey guys how would i use black list to drop all connections from the following network. cpe-66-8-169-249.hawaii.rr.com/66.8.169.249 This is one of hundreds of ip that are similar currently killing my network with blaster attacks.
On Sunday 07 September 2003 11:13 am, Nick Sklavenitis wrote:> Hey guys how would i use black list to drop all connections from the > following network. > > cpe-66-8-169-249.hawaii.rr.com/66.8.169.249 > > This is one of hundreds of ip that are similar currently killing my > network with blaster attacks.Add blacklist to your external interface (interfaces file) Add the ip to the blacklist file. You can ban the ip totally, or just for certain protocols. Read the comments in the blacklist file. Then do shorewall reastart. Or it might be in the faq. But why do you think you need this at all if you are behind a shorewall firewall? Why would you have any ports open to the net that blaster could use? -- John Andersen - NORCOM http://www.norcomsoftware.com/
> But why do you think you need this at all > if you are behind a shorewall firewall?To keep infecteded machines from hammering my mail server with what has been logged as virus mail... I do that... I was getting 3-5 virus notifications a min.. The mail was discarded, but why should it tie up my mail server? That is what I think he meant by "killing my network with blaster attacks." Jerry Vonau
On Sunday 07 September 2003 02:11 pm, Jerry Vonau wrote:> > But why do you think you need this at all > > if you are behind a shorewall firewall? > > To keep infecteded machines from hammering my mail server > with what has been logged as virus mail... I do that... > I was getting 3-5 virus notifications a min.. > The mail was discarded, but why should it tie up my mail server? > That is what I think he meant by "killing my network with blaster attacks."Well what you are trying to do won''t help much. The virus forges the from address, causing bounce messages to come to you, and these bounce message can be comming from everywhere, all of them bouncing the original virus back to a forged address - namely yours. You will also get some viruses direct. Those are by far the minority, and those you can successfully block with blacklisting. But you will probably find by carefull inspection that those messages that come with "RE:" subject lines are bounces or rejects from a variety of different places, and blacklisting won''t help here. I had over 300 viruses a day either bounced to me or sent directly from one particular IP in Albany on road runners system. It got so bad I put in a content filter to find any mention of 24.97.41.77 in any part of the message and if found, I rewrote the header with VIRUS on 24.97.41.77 and summarily bounced the entire thing to roadrunner abuse address. (This after trying politely to get RR to do something about it for over a week). Of course this actually worsened my bandwidth utilization because I had to pay the penalty yet again for each mail but it got their attention, and I haven''t seen one of these for days. -- John Andersen - NORCOM http://www.norcomsoftware.com/
> > That is what I think he meant by "killing my network with blasterattacks."> > Well what you are trying to do won''t help much.I disagree, some have their own smtp engine.... I was getting 3-5 of these a minute, every minute on my mail server: Aug 26 14:25:43 scanmail mimedefang.pl[31215]: MDLOG,h7QJPcSo000448,virus,W32.So big.F@mm,64.56.zzz.zz,<xxxx@xxxxx.com>,xxxxxxx@x , Re: That movie 65.56.zzz.zz was a small isp of the infected machine, that I blocked at the firewall, after mailing the logs... That was step one of the problem of a direct contact of the infected machine.... The ip was removed the next day...> The virus forges the from address, causing bounce messages to come > to you, and these bounce message can > be comming from everywhere, all of them bouncing the original virus > back to a forged address - namely yours. You will also get some > viruses direct. Those are by far the minority, and those you > can successfully block with blacklisting. > But you will probably find by carefull inspection that those > messages that come with "RE:" subject lines are bounces > or rejects from a variety of different places, and blacklisting > won''t help here.Nod... different issue...> I had over 300 viruses a day either bounced to me or sent > directly from one particular IP in Albany on road runners > system.That one ip could of been blacklisted...> It got so bad I put in a content filter to find any mention > of 24.97.41.77 in any part of the message and if found, I > rewrote the header with VIRUS on 24.97.41.77 and > summarily bounced the entire thing to roadrunner > abuse address. (This after trying politely to get > RR to do something about it for over a week).I''m my case the small isp was most helpful, he started to have some bandwidth issues ;)> Of course this actually worsened my bandwidth utilization > because I had to pay the penalty yet again for each mail > but it got their attention, and I haven''t seen one of these > for days.I just like to dicard virus emails that are mass mailers after logging them, rather than bouncing them... mostly likey the from is forged anyway.. Why add to the problem... Boy to I like mimedefang... Just my 2 cents worth... Jerry Vonau
On Sun, 2003-09-07 at 18:11, Jerry Vonau wrote:> > But why do you think you need this at all > > if you are behind a shorewall firewall? > > To keep infecteded machines from hammering my mail server > with what has been logged as virus mail... I do that... > I was getting 3-5 virus notifications a min.. > The mail was discarded, but why should it tie up my mail server? > That is what I think he meant by "killing my network with blaster attacks." > > Jerry VonauExactly as mentionned the amount of attacks seems to be hurting my shorewall. What is happening im not sure exactly it seems after a while that my internal network can no longer access the internet but the firewall can still access. So my issue is more of im tired oh having to restart shorewall every 2 hours because it for some reason stop forwarding and nat''ing internal request to the internet. Then again this might have nothing to do with the virus and might just be a shorewall bug. Im not sure but this has started since i upgraded to the latest shorewall.
On Sunday 07 September 2003 07:13 pm, Jerry Vonau wrote:> > I had over 300 viruses a day either bounced to me or sent > > directly from one particular IP in Albany on road runners > > system. > > That one ip could of been blacklisted...But that would have only solved 10% of the problem as the vast majority were bounces from other people that the virus sent mail in my name to. I counted, and it was about 10 to 1 bounces vs direct mails. -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Sunday 07 September 2003 07:13 pm, Jerry Vonau wrote:> I just like to dicard virus emails that are mass mailers after logging > them, rather than bouncing them... mostly likey the from is forged anyway.. > Why add to the problem...I don''t bounce them, I re-direct them to the people who''s job it is to keep these clueless folks off the net, - namely their privider. -- John Andersen - NORCOM http://www.norcomsoftware.com/