August 26, 2010 at 4:31 pm #42607
We use a spam filtering service provider, so we only allow
their server IP:#.#.#.# to communicate with
our mail server 192.168.1.5 TCP:25
Where do I input their server IP?
I assume in a firewall rule, but at which level(s) prerouting, input, forward, output, postrouting?
And in the source IP field?
Should this rule work in chain:FORWARD? (#.#.#.# is spam prov IP)
ACCEPT tcp opt — in ETH02 out * #.#.#.# -> 192.168.1.5 tcp dpt:25
Prerouting rule? (first #.#.#.# is spam prov, second is static wan)
Startup/Cron>NAT and Virtual Servers>
iptables -t nat -I PREROUTING 1 -s #.#.#.# -d #.#.#.# -i ETH02 -j DNAT –to-destination 192.168.1.5August 26, 2010 at 7:15 pm #50998
In a bridge-mode between two nics, use your spam ip as src-ip, and your internal 192-ip as dst-ip, with TCP src-port 25
Mine is as follows to limit non port 80 traffic destined to a host for x speed, i.e, their download speed:
-A FORWARD -d x.x.x.x/32 -p tcp -m tcp ! –sport 80 -m dscp –dscp 0x00 -j MARK –set-mark 0xd
Make a class in the class manager, and in the classifier point the rule to the said class. Thus making any traffic coming from the spam ip using port 25
destined for your internal ip shaped to x speed.
or flip it to make your 192-ip as srcip, and the spam-ip as dstip, with dport of 25, making it so anything from your 192 to spam-ip sending on TCP port 25, shaped to said x speed.
Not sure in a non-bridged setup; I only have my box as bridged for inline/transparent shaping.August 26, 2010 at 7:32 pm #50999
It’s full router mode.
Is sounds like the Source IP field is the right one?
And using a QOS rule works, or does it not matter where the rule is?August 26, 2010 at 7:34 pm #51000
Must be in the QoS section on the left hand side to limit speed with said made class, otherwise put in FW section on the left hand side to accept, drop, reject the connection.
Since in routed-mode, You can try to use just the src and dst ips in the classifier, and leave out the in/out interfaces. (Not sure though?, play around with it)
Also make sure the class that is made for the speed, is assigned to the appropriate interface in the Class Interface Manager, otherwise is won’t shape at all. The download speed/class is what the LAN-side interface is, and the upload speed/class is the WAN/Internet-side interface
And always remember to apply/save changes.August 26, 2010 at 10:09 pm #51001
I have no interest in QOS for incoming mail so I have the rule(s) in firewall.
I have the rule in both input and forward (output is just set to allow all). But, I’m not sure which combination of parts(int, sourceIP, destIP, port) should be where? I understand the fundamentals but I’m still wrapping my head around what to put in which chain.
I have another question just trying to look up:
eth0 is connected to my cable modem, simple.
eth2 is connected to my dsl modem, no as simple because it also has another interface ppp0, which can be used in NAT, FW, etc.
I’m not sure where I have to include ppp0 in a rule or two, or a bond or bridge to ensure it works simply like eth0?
Thx!August 27, 2010 at 7:55 am #51002
You have NAT enabled on the WAN interface and you want to port forward the communication from the spam filtering server? You have to add a new entry in the Virtual Server. This automatically adds a new entry on PREROUTING chain. If you are not using NAT then you will have to add a firewall rule in the FORWARD chain.
For your other question you can use ppp0 as you would use ETH00 or any other interface.August 27, 2010 at 4:10 pm #51003
Thanks ppalias, I took it as the title says, “limit wan traffic from ip”, as in shaping traffic in qos.August 27, 2010 at 10:38 pm #51004
Thx guys, I responded last night but seems my lovely iphone ate it..
The mail filtering service works IP-IP only, so only they can hit our mail server as we’re in a busy area and were getting slammed.
While testing VS/FW rules, TCP25 was open for 2 mins and got 2 spams. I added SourceIP (not in VS so need FW rules) and it seems to work.
I’m still getting used to chains vs the typical single FW, so please enlighten me if there’s a more elegant solution:
In (def:Drop) ppp0 Source:IP, Dest:TCP25
Fwd (def:Drop) ppp0-eth01(LAN) Source:IP, Dest:TCP25
So, it seems:
– ppp0 is used instead of ETH01
– no rules are needed for ETH01(?)
– if I happened to switch ETH01 back to a cable modem, I would then switch the rule from ppp0 back to ETH01.August 28, 2010 at 9:34 pm #51005
You will have to enter the command manually as this type of rule cannot be added with ZS.
Go to System -> Setup -> Startup/Cron and select “Nat and Virtual Servers” from the drop down list.
/usr/local/sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 25 -s PUBLIC_IP -j MASQUERADE --to-destination 192.168.1.5September 13, 2010 at 5:03 pm #51006
I’ve been reading up, trying to get a little familiar with IPTables.
Thank you for your rule ppalias, I haven’t switched to it yet, I have a few questions:
1) What I had seems to be working,
Virtual Server: ppp0, ANY, TCP, 25,443, 192.168.1.5:25,443
FORWARD: ACCEPT tcp opt — in ppp0 out ETH01 #.their.IP.# -> 192.168.1.5 tcp dpt:25
do you see any problems or advantages to switching to the rule you mention?
2) These rules seem to work for SMTP and http, but not SIP(UDP5000-5084) and RTP(UDP:10000-20000), any ideas? Something similar to your PREROUTING rule?
3) If I enable the NAT and Virtual Servers script, it works in conjunction with, and doesn’t disable the Virtual Servers page, correct?
4) In your rule, did you mean to use DNAT versus MASQUERADE?
5) Is /usr/local/sbin/ required before iptables?September 24, 2010 at 11:16 am #51007
1) It is working for every IP address coming from ppp0. With the command I gave you, only the IP address of your ISP is allowed. I also think that I gave you the wrong command, it should be DNAT instead of MASQUERADE.
/usr/local/sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 25 -s PUBLIC_IP -j DNAT --to-destination 192.168.1.5
2) Have you switched the protocol to UDP to classify these rules? Can you show us the rules?
5) No, I just add it in my scripts to be sure.October 1, 2010 at 5:26 am #51008
I can’t get that rule to work, but it works to have a port forwarding rule which directs the wan port to the lan IP, and then a forward rule to allow only the traffic from the source IP we want.
But this method does not seem to work for to open 5000-5082udp for SIP and 10000-20000udp for RTP for the pbx (minus the source IP needs to be open to all).
Another method I want to try is 1:1 NAT. I have two WAN connections one with 5 static IPs and one with 1 static IPs. I’m just not sure of all the in’s and out’s with having the two connections working at the same time.October 1, 2010 at 1:59 pm #51009
You must be logged in to reply to this topic.