[CentOS] iptables question

Tue Oct 20 16:11:30 UTC 2009
Bowie Bailey <Bowie_Bailey at BUC.com>

Kai Schaetzl wrote:
> Bowie Bailey wrote on Mon, 19 Oct 2009 17:18:16 -0400:
>
>   
>> The destination address is the private IP of the server.  These
>> seem to be related to outgoing email connections based on the source
>> IPs
>>     
>
> Is 195.140.240.6 the public IP of that machine? Why do you obfuscate a 
> private IP number? Do you want to say that these are internal mail server 
> connections? If not, the explanation about the IP numbers doesn't make 
> sense to me.
>   

No,  195.140... is the IP of the remote machine.  I obfuscated the
private IP of the mail server (and MAC address) on general principles
since they are not relevant to the question.

What I am seeing is a remote server trying to make a connection from
port 25 to a high-numbered port on my mail server.  Iptables rejects the
connection since it is not on an allowed port or part of an established
conversation.  The question is:  why are all of these remote servers
trying to make connections back to me on high-numbered ports?  Should I
be allowing these connections somehow?

For clarity's sake, here are a few non-obfuscated examples:

Oct 20 11:42:27 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=209.27.55.194
DST=172.16.17.169 LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=56970 DF
PROTO=TCP SPT=25 DPT=40312 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0
Oct 20 11:42:49 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=203.17.219.68
DST=172.16.17.169 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=19851 DF
PROTO=TCP SPT=25 DPT=40289 WINDOW=64167 RES=0x00 ACK FIN URGP=0
Oct 20 11:43:01 bnofmail kernel: REJECT: IN=eth0 OUT=
MAC=00:50:8d:59:60:2e:00:90:27:c2:79:77:08:00 SRC=204.127.217.16
DST=172.16.17.169 LEN=72 TOS=0x00 PREC=0x20 TTL=50 ID=15125 DF PROTO=TCP
SPT=25 DPT=40346 WINDOW=64296 RES=0x00 ACK URGP=0

172.16.17.169 is the private IP of one of my mailservers.  The other IPs
are remote servers not under my control.  About 20% of them are servers
that have received outbound email from my server recently.  I have no
idea where the others come from. 

I have gotten over 83,000 of these connection attempts so far today from
267 unique IP addresses.

-- 
Bowie