Kai Schaetzl wrote:
Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
The destination address is the private IP of the server. These seem to be related to outgoing email connections based on the source IPs
Is 195.140.240.6 the public IP of that machine? Why do you obfuscate a private IP number? Do you want to say that these are internal mail server connections? If not, the explanation about the IP numbers doesn't make sense to me.
No, 195.140... is the IP of the remote machine. I obfuscated the private IP of the mail server (and MAC address) on general principles since they are not relevant to the question.
What I am seeing is a remote server trying to make a connection from port 25 to a high-numbered port on my mail server. Iptables rejects the connection since it is not on an allowed port or part of an established conversation. The question is: why are all of these remote servers trying to make connections back to me on high-numbered ports? Should I be allowing these connections somehow?
For clarity's sake, here are a few non-obfuscated examples:
Oct 20 11:42:27 bnofmail kernel: REJECT: IN=eth0 OUT= MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=209.27.55.194 DST=172.16.17.169 LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=56970 DF PROTO=TCP SPT=25 DPT=40312 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 Oct 20 11:42:49 bnofmail kernel: REJECT: IN=eth0 OUT= MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=203.17.219.68 DST=172.16.17.169 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=19851 DF PROTO=TCP SPT=25 DPT=40289 WINDOW=64167 RES=0x00 ACK FIN URGP=0 Oct 20 11:43:01 bnofmail kernel: REJECT: IN=eth0 OUT= MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=204.127.217.16 DST=172.16.17.169 LEN=72 TOS=0x00 PREC=0x20 TTL=50 ID=15125 DF PROTO=TCP SPT=25 DPT=40346 WINDOW=64296 RES=0x00 ACK URGP=0
172.16.17.169 is the private IP of one of my mailservers. The other IPs are remote servers not under my control. About 20% of them are servers that have received outbound email from my server recently. I have no idea where the others come from.
I have gotten over 83,000 of these connection attempts so far today from 267 unique IP addresses.