Tag Archives: iptables

openvz limit smtp connection

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s xx.xx.xx.xx/32-p tcp -m multiport --dports 25,587,465 -j LOG --log-prefix "FORWARD:DROP:" --log-level 6
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 465 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 587 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 465 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 587 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 25 -j DROP

iptables block user-agent: wordpress

iptables -A INPUT -p tcp –dport 80 -m string –string ‘WordPress’ –algo kmp -j DROP

or

iptables -N WordPress-PingVerify
iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /’ -j WordPress-PingVerify
iptables -A WordPress-PingVerify -p tcp –dport 80 -m string –to 80 –algo bm ! –string ‘User-Agent: WordPress/’ -j RETURN
iptables -A WordPress-PingVerify -p tcp –dport 80 -m string –to 300 –algo bm –string ‘verifying pingback from’ -j DROP
iptables -A WordPress-PingVerify -j RETURN

or

iptables -N WordPress-PingBacks
iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /’ -j WordPress-PingBacks
iptables -A WordPress-PingBacks -p tcp –dport 80 -m string –to 80 –algo bm ! –string ‘User-Agent: WordPress/’ -j RETURN
iptables -A WordPress-PingBacks -p tcp –dport 80 -j DROP
iptables -A WordPress-PingBacks -j RETURN

SMTP Mail protection has been disabled. All users may make smtp connections.

/scripts/smtpmailgidonly on
SMTP Mail protection has been disabled. All users may make smtp connections.
There was a problem setting up iptables. You either have an older kernel or a broken iptables install, or ipt_owner could not be loaded.

cat /proc/net/ip_tables_matches | grep owner
modprobe xt_owner

/scripts/smtpmailgidonly on
SMTP Mail protection has been enabled.
All outbound SMTP connections will be redirected to localhost except:
uid is root (ports: 25,26,465,587)
uid is cpanel (ports: 25,26,465,587)
gid is mail (ports: 25,26,465,587)
gid is mailman (ports: 25,26,465,587)

linux secure smtp

iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

nginx as a reverse-proxy

tar -zxf nginx-*.tar.gz
cd nginx-*/
./configure && make && sudo make install

vi nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 3;
server {
listen 1.2.3.4:81;
server_name nginx;
location / {
proxy_pass http://1.2.3.4:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_connect_timeout 20;
proxy_send_timeout 20;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}

iptables -t nat -I PREROUTING ! -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to :81