Nat SMTP to second publik IP

yeager · July 30, 2021, 10:05pm

Hi

I try to find answer to my question, read many threads, but nothing.
I have one WAN port in my router and my internet provider forvard 24 public IP to it… I use one like Main publik IP for my internet connection, others is for servers. Problem is that many time i have problem while im backlisted. i think i have spammers on my network. Simple skript i use for autodetect and block spammers is not working after i get more public IP and i must use nat for set one of them for MAIN ADDRESS.

After i set this:
/ip firewall/nat
chain=srcnat action=src-nat to-addresses=185.188.239.206 out-interface=ether1 log=no log-prefix=“”

This script not work, always added only my ip 185.188.239.206 to spammer list
/ip firewall/filter
1 ;;; Detect and add-list SMTP virus or spammers
chain=forward action=add-src-to-address-list connection-limit=30,32 protocol=tcp
address-list=spammer address-list-timeout=1d dst-port=25 limit=30/1m,5:packet log=no
log-prefix=“”

2 ;;; BLOCK SPAMMERS OR INFECTED USERS
chain=forward action=drop protocol=tcp src-address-list=spammer dst-port=25 log=no
log-prefix=“”

My question is, is it possible mark all connection on port 25 and send it on other public IP i have? Thisway my MAIN IP ADDRESS will be clear from spammers and will be not blacklisted. Or exist any other symple methode for block Spammers?

THX
B.R.

PS: first i cant send this post, while - Your IP 185.188.239.206 has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=185.188.239.206.

yeager · July 31, 2021, 12:21pm

Noone have working solution?

anav · July 31, 2021, 3:04pm

So you use public IPs for servers?
Is the issue caused by users of the servers or people behind your router using the single IP for your home or own use??

As for servers are they:
a. protected by encrypted login (https, FTPs etc) or plain text login or no login?
b. limited by a source address or source address list on the corresponding dst NAT rule.

yeager · July 31, 2021, 7:10pm

Im a little isp… Have 500 clients… All my clients use one public ip…

anav · July 31, 2021, 7:46pm

How do you distribute internet from a single public IP to 500 folks.

500 vlans or 500 PPOE client connections?

yeager · August 1, 2021, 2:40am

VLANs and more IP ranges…

BartoszP · August 1, 2021, 8:15am

If only spammers do spam using SMTP-family ports then you can

add action=src-nat chain=srcnat dst-port=25,587,SMTPfamilyports out-interface=WAN protocol=tcp to-addresses=NOT_THE_MAIN_IP

but if they use “zombies” using unknown ports then there is no way to catch that traffic.

Why do you not spread traffic to different IPs grouping users like this

/ip firewall address-list
add address=172.31.0.0/28 list=CLIENTS_GROUP_A
add address=172.31.0.16/28 list=CLIENTS_GROUP_B
/ip firewall nat
add action=src-nat chain=srcnat src-address-list=CLIENTS_GROUP_A out-interface=WAN to-addresses=PUBLIC_IP_A
add action=src-nat chain=srcnat src-address-list=CLIENTS_GROUP_B out-interface=WAN to-addresses=PUBLIC_IP_B

as you can keep groups separated and easy track which group spams as the particular IP will be blocked

yeager · August 1, 2021, 11:55am

Will be better nat 25,445,465,587 port traffic for all users to other privat IP

BartoszP · August 1, 2021, 12:37pm

Could be. It’s your decision. And block SMTP on the main address in both directions to prevent occasional “leaking”.