100K entries in iptables
Bob - BLU
blu at scrunch.net
Wed Sep 13 13:06:59 EDT 2006
As I look through the maillog file on my inbound smtp server, I get irritated by all of the 'Relaying denied' entries. These look like external systems trying to relay through my server and being denied.
I think, perhaps I can stop these systems (and other known spammers) before they get to sendmail. So I grep through the last few months of maillogs and gather a list of >100K unique ip addresses.
I think, I'll stuff these into iptables. But then, it seems like a lot of filtering. Although, perhaps it is better than letting sendmail get slammed, and I will receive less spam, and so less load from spamd.
For the moment, I have decided to limit this to the current and previous weekly maillog file, which keeps the number of entries down around 4K.
But I still ponder, is putting 100K, or even 4K, entries into iptables a bad idea? eg: What are the side effects of doing this?
Here is a sample script:
###
iptables -P INPUT ACCEPT
iptables -N SPAMMER
iptables -A SPAMMER -j LOG --log-prefix 'spammer: '
iptables -A SPAMMER -j DROP
iptables -N SPAMCHECK
iptables -A SPAMCHECK -s 127.0.0.1/32 -j ACCEPT # Local host
iptables -A SPAMCHECK -s 192.168.0.0/16 -j ACCEPT # Local network
iptables -A SPAMCHECK -s <snip>/32 -j ACCEPT # Good customer
iptables -A SPAMCHECK -s 4.18.54.180/32 -j SPAMMER # Bad guy
<repeat many times with different ip address>
iptables -A INPUT -p tcp --dport 25 --syn -j SPAMCHECK
###
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list