limit WAN traffic from IP?

This topic contains 11 replies, has 0 voices, and was last updated by  lip 8 years, 4 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #42607

    lip
    Member

    We use a spam filtering service provider, so we only allow
    their server IP:#.#.#.# to communicate with
    our mail server 192.168.1.5 TCP:25
    Where do I input their server IP?
    I assume in a firewall rule, but at which level(s) prerouting, input, forward, output, postrouting?
    And in the source IP field?

    Should this rule work in chain:FORWARD? (#.#.#.# is spam prov IP)
    ACCEPT tcp opt — in ETH02 out * #.#.#.# -> 192.168.1.5 tcp dpt:25

    Prerouting rule? (first #.#.#.# is spam prov, second is static wan)
    Startup/Cron>NAT and Virtual Servers>
    iptables -t nat -I PREROUTING 1 -s #.#.#.# -d #.#.#.# -i ETH02 -j DNAT –to-destination 192.168.1.5

    #50998

    AtroposX
    Member

    In a bridge-mode between two nics, use your spam ip as src-ip, and your internal 192-ip as dst-ip, with TCP src-port 25

    Mine is as follows to limit non port 80 traffic destined to a host for x speed, i.e, their download speed:

    -A FORWARD -d x.x.x.x/32 -p tcp -m tcp ! –sport 80 -m dscp –dscp 0x00 -j MARK –set-mark 0xd

    Make a class in the class manager, and in the classifier point the rule to the said class. Thus making any traffic coming from the spam ip using port 25
    destined for your internal ip shaped to x speed.

    or flip it to make your 192-ip as srcip, and the spam-ip as dstip, with dport of 25, making it so anything from your 192 to spam-ip sending on TCP port 25, shaped to said x speed.

    Not sure in a non-bridged setup; I only have my box as bridged for inline/transparent shaping.

    #50999

    lip
    Member

    It’s full router mode.

    Is sounds like the Source IP field is the right one?
    And using a QOS rule works, or does it not matter where the rule is?

    #51000

    AtroposX
    Member

    Must be in the QoS section on the left hand side to limit speed with said made class, otherwise put in FW section on the left hand side to accept, drop, reject the connection.

    Since in routed-mode, You can try to use just the src and dst ips in the classifier, and leave out the in/out interfaces. (Not sure though?, play around with it)

    Also make sure the class that is made for the speed, is assigned to the appropriate interface in the Class Interface Manager, otherwise is won’t shape at all. The download speed/class is what the LAN-side interface is, and the upload speed/class is the WAN/Internet-side interface

    And always remember to apply/save changes.

    #51001

    lip
    Member

    I have no interest in QOS for incoming mail so I have the rule(s) in firewall.
    I have the rule in both input and forward (output is just set to allow all). But, I’m not sure which combination of parts(int, sourceIP, destIP, port) should be where? I understand the fundamentals but I’m still wrapping my head around what to put in which chain.

    I have another question just trying to look up:
    eth0 is connected to my cable modem, simple.
    eth2 is connected to my dsl modem, no as simple because it also has another interface ppp0, which can be used in NAT, FW, etc.
    I’m not sure where I have to include ppp0 in a rule or two, or a bond or bridge to ensure it works simply like eth0?

    Thx!

    #51002

    ppalias
    Member

    You have NAT enabled on the WAN interface and you want to port forward the communication from the spam filtering server? You have to add a new entry in the Virtual Server. This automatically adds a new entry on PREROUTING chain. If you are not using NAT then you will have to add a firewall rule in the FORWARD chain.

    For your other question you can use ppp0 as you would use ETH00 or any other interface.

    #51003

    AtroposX
    Member

    Thanks ppalias, I took it as the title says, “limit wan traffic from ip”, as in shaping traffic in qos.

    #51004

    lip
    Member

    Thx guys, I responded last night but seems my lovely iphone ate it..

    The mail filtering service works IP-IP only, so only they can hit our mail server as we’re in a busy area and were getting slammed.

    While testing VS/FW rules, TCP25 was open for 2 mins and got 2 spams. I added SourceIP (not in VS so need FW rules) and it seems to work.

    I’m still getting used to chains vs the typical single FW, so please enlighten me if there’s a more elegant solution:

    In (def:Drop) ppp0 Source:IP, Dest:TCP25
    Fwd (def:Drop) ppp0-eth01(LAN) Source:IP, Dest:TCP25
    Out (def:Allow)

    So, it seems:
    – ppp0 is used instead of ETH01
    – no rules are needed for ETH01(?)
    – if I happened to switch ETH01 back to a cable modem, I would then switch the rule from ppp0 back to ETH01.

    #51005

    ppalias
    Member

    You will have to enter the command manually as this type of rule cannot be added with ZS.
    Go to System -> Setup -> Startup/Cron and select “Nat and Virtual Servers” from the drop down list.

    /usr/local/sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 25 -s PUBLIC_IP -j MASQUERADE --to-destination 192.168.1.5
    #51006

    lip
    Member

    I’ve been reading up, trying to get a little familiar with IPTables.
    Thank you for your rule ppalias, I haven’t switched to it yet, I have a few questions:
    1) What I had seems to be working,
    Virtual Server: ppp0, ANY, TCP, 25,443, 192.168.1.5:25,443
    FORWARD: ACCEPT tcp opt — in ppp0 out ETH01 #.their.IP.# -> 192.168.1.5 tcp dpt:25
    do you see any problems or advantages to switching to the rule you mention?
    2) These rules seem to work for SMTP and http, but not SIP(UDP5000-5084) and RTP(UDP:10000-20000), any ideas? Something similar to your PREROUTING rule?
    3) If I enable the NAT and Virtual Servers script, it works in conjunction with, and doesn’t disable the Virtual Servers page, correct?
    4) In your rule, did you mean to use DNAT versus MASQUERADE?
    5) Is /usr/local/sbin/ required before iptables?

    #51007

    ppalias
    Member

    1) It is working for every IP address coming from ppp0. With the command I gave you, only the IP address of your ISP is allowed. I also think that I gave you the wrong command, it should be DNAT instead of MASQUERADE.

    /usr/local/sbin/iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 25 -s PUBLIC_IP -j DNAT --to-destination 192.168.1.5

    2) Have you switched the protocol to UDP to classify these rules? Can you show us the rules?
    3) Yes
    4) Yes
    5) No, I just add it in my scripts to be sure.

    #51008

    lip
    Member

    I can’t get that rule to work, but it works to have a port forwarding rule which directs the wan port to the lan IP, and then a forward rule to allow only the traffic from the source IP we want.

    But this method does not seem to work for to open 5000-5082udp for SIP and 10000-20000udp for RTP for the pbx (minus the source IP needs to be open to all).

    Another method I want to try is 1:1 NAT. I have two WAN connections one with 5 static IPs and one with 1 static IPs. I’m just not sure of all the in’s and out’s with having the two connections working at the same time.

    #51009

    ppalias
    Member
Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.