Hi, I have port 25 open as a nat rule to allow traffic to our email server.
There have been a number of spam servers trying to login and send spam through this server,
So what I want to do is create a few rules where I can block certain ip addresses from being able to send through port 25 to the email server.
So I need to allow all the normal email traffic to our email server through port 25 but want to block out certain addresses.
I have looked this up and created the input rules to drop traffic from a certain ip address but it appears that the Nat forwarding comes first and I can still see the login attempts getting to the mailserver.
Any way to block this ?
what about only accept certain ip in port 25 and drop the rest
not really possible as i would need to know all the ip addresses that send us email
If you forward port from router to server, you need to do your blocking in forward chain, not in input.
First of all you need to distinguish what are the good and what are the bad senders. What idea do you have?
If you believe the list of the bad addresses is finite, then you can easily drop all traffic from them by one rule in forward chain. But I am sure there will be new and new abusing ip addresses. So you need to have some automatic way how to fastly extend the list. By traffic amount or pps maybe. Hard to say. You should know it already.
yes agree with him, what u need is some automatic way but first u need to know the pattern first.