[CentOS] iptables question
Bowie Bailey
Bowie_Bailey at BUC.com
Tue Oct 20 16:11:30 UTC 2009
Kai Schaetzl wrote:
> Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
>
>
>> The destination address is the private IP of the server. These
>> seem to be related to outgoing email connections based on the source
>> IPs
>>
>
> Is 195.140.240.6 the public IP of that machine? Why do you obfuscate a
> private IP number? Do you want to say that these are internal mail server
> connections? If not, the explanation about the IP numbers doesn't make
> sense to me.
>
No, 195.140... is the IP of the remote machine. I obfuscated the
private IP of the mail server (and MAC address) on general principles
since they are not relevant to the question.
What I am seeing is a remote server trying to make a connection from
port 25 to a high-numbered port on my mail server. Iptables rejects the
connection since it is not on an allowed port or part of an established
conversation. The question is: why are all of these remote servers
trying to make connections back to me on high-numbered ports? Should I
be allowing these connections somehow?
For clarity's sake, here are a few non-obfuscated examples:
Oct 20 11:42:27 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=209.27.55.194
DST=172.16.17.169 LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=56970 DF
PROTO=TCP SPT=25 DPT=40312 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0
Oct 20 11:42:49 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=203.17.219.68
DST=172.16.17.169 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=19851 DF
PROTO=TCP SPT=25 DPT=40289 WINDOW=64167 RES=0x00 ACK FIN URGP=0
Oct 20 11:43:01 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=204.127.217.16
DST=172.16.17.169 LEN=72 TOS=0x00 PREC=0x20 TTL=50 ID=15125 DF PROTO=TCP
SPT=25 DPT=40346 WINDOW=64296 RES=0x00 ACK URGP=0
172.16.17.169 is the private IP of one of my mailservers. The other IPs
are remote servers not under my control. About 20% of them are servers
that have received outbound email from my server recently. I have no
idea where the others come from.
I have gotten over 83,000 of these connection attempts so far today from
267 unique IP addresses.
--
Bowie
More information about the CentOS
mailing list