We seem to have a misconfiguration for blocking chinese IPs.
General blocking of chinese IP's seem to work (we no longer get connection attempts from china in our PPTP VPN log.), but we're still seeing intrusion attempts from IP's on our China blacklist on our NAT'ted mail server.
From what I can read in other posts NAT is applied before the firewall rules, but wouldn't a rule that blocks all China source addresses still work after NAT? Or does the SRC address change at that point.
Here are our rules:
Code: Select all
0 chain=input action=drop src-address-list=China log=yes log-prefix=""
1 chain=input action=drop src-address-list=America log=no log-prefix=""
2 chain=forward action=drop src-address=10.0.0.0/24 dst-address=10.0.255.0/24 log=no log-prefix=""
3 chain=forward action=drop src-address=10.0.255.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
4 chain=input action=accept protocol=tcp src-address=10.0.0.0/24 log=no log-prefix=""
5 chain=input action=accept protocol=gre log=no log-prefix=""
6 chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
7 chain=input action=reject reject-with=tcp-reset protocol=tcp log=no log-prefix=""
Code: Select all
0 chain=srcnat action=masquerade out-interface=ether5 log=no log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=10.0.0.239 to-ports=20 protocol=tcp in-interface=ether5 dst-port=20 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=10.0.0.239 to-ports=21 protocol=tcp in-interface=ether5 dst-port=21 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=10.0.0.104 to-ports=25 protocol=tcp in-interface=ether5 dst-port=25 log=no log-prefix=""
Code: Select all
chain=forward action=drop src-address-list=China log=yes log-prefix=""
My idea being that the chain is no longer input but forward after the NAT rules are applied. Is this correct?
Kind Regards
Europower Generators