2013/05/19

iptables - limit number of connections per time period

If you need to block some Internet facing services from for an example abuse, password guessing or SPAM the you can use iptables' recent module to do this.
Below is an example of rules used to block too many TCP connection attempts to port 25 (SMTP):

-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j LOG --log-prefix "rate-limit-drop "

-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 5 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 25 -s ! 1.2.3.0/24 -m state --state NEW -m recent --set

On RedHat-like systems add this to /etc/sysconfig/iptables just above -A INPUT -j RH-Firewall-1-INPUT line, and do service iptables reload. When you run iptables -L -v -n you should see new rules at the top of output.

-s ! 1.2.3.0/24 prevents our own company network from being blocked. 1.2.3.0/24 is an example address, it can be internal or external (public) network address. You can even remove this if you don't need it.

--seconds 60 --hitcount 5 allows client to make only 5 TCP connections per minute.

More documentation:

2013/05/16

Exim debug message receive

To debug message receive process in Exim, run:
# exim -bh SENDER_IP
Example:
# printf "EHLO aaa\nMAIL FROM: aaaa@example.com\nRCPT TO: john.doe@abc.def.com\n" | exim -bh 12.34.56.78 2>&1 | less
It will show evaluation of all ACL rules and other checks. Other useful Exim tips: http://bradthemad.org/tech/notes/exim_cheatsheet.php