This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assistance with DNAT rule not working

Hello, there is someone spamming our email server and I blocked the IP in two ways in which I'll attach pictures of. One is a basic firewall rule to drop traffic from a list of spammer/hacker IPs. The other is a DNAT rule which takes that same list and is supposed to route the traffic to a random IP that has nothing to do with our network. When I look at the logs, the firewall rule appears to work but the DNAT rule is apparently ALLOWING the traffic to go through and I cannot for the life of me figure out why. I have these rules as high as they can go (firewall starts at 16 because of automatic rules before it). Nat rule #1 is the "black hole" rule and Nat rule #5 is any > smtp > our mail server > destination: our spam firewall. The "going to" IP is our WAN IP. Something else I'm confused on too is that the blocked message from packet filter #16 seems to be the Nat rule because that's the rule that routes traffic to 240.0.0.0; the firewall rule is just set to drop obviously, but the logs seem to show the block coming from the firewall rule and not the NAT? I'm confused. Any ideas? Sorry I am by no means an expert on this device.

This thread was automatically locked due to age.

Parents

0 dirkkotte over 3 years ago

looks ok ...

first: the NAT rule #1 matches and redirect the traffic to 240.0.0.0 ... logged within the white lines

next: this packed is dropped by Firewall Rule # 16 ... red line
Cancel
Vote Up 0 Vote Down

Cancel
0 Chad Lechan over 3 years ago in reply to dirkkotte

I obfuscated the picture of nat rule #1 IP because that's going to our WAN address

this didn't stop the attacker as it kept hammering our spam firewall. it wasn't doing a lot of damage, just slowing down mail queues a bit but in the future I would want to just put in an IP and stop them from accessing our network entirely
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Chad Lechan over 3 years ago in reply to dirkkotte

I obfuscated the picture of nat rule #1 IP because that's going to our WAN address

this didn't stop the attacker as it kept hammering our spam firewall. it wasn't doing a lot of damage, just slowing down mail queues a bit but in the future I would want to just put in an IP and stop them from accessing our network entirely
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 dirkkotte over 3 years ago in reply to Chad Lechan

ok,
can't see the obfuscation. "external (Interface address)" should be ok.
And "change destination" to a non-existing IP is OK too.

Where is the problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 Chad Lechan over 3 years ago in reply to dirkkotte

My goal is to block the IP and it wasn't fully blocked. The logs show the NAT allowing the connection to go through.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Chad Lechan

NAT is processed before packet filter.

DNAT to Black-Hole is like a "drop".
Cancel
Vote Up 0 Vote Down

Cancel
0 Chad Lechan over 3 years ago in reply to dirkkotte

I guess I'm confused because packet filter rule #16 isn't a DNAT it's just supposed to drop the packets but the log shows it routing to 240.0.0.0 which is the DNAT. The NAT rule seemingly is allowing the connection to go to the our WAN IP. During the logs shown, the attacker was still hammering our spam firewall so it wasn't blocking him fully and I'm trying to find out why
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Chad Lechan

first: the DNAT rule #1 matches and redirect the traffic to 240.0.0.0 ... logged within the white lines --- here is no DROP/DENY possible ... and this doesn't allow the packet

next: this packed is dropped by Firewall Rule # 16 ... red line --- because packetfilter is processed after DNAT the Packet has the new destination already.

The connection should not reach any SMTP-service or Server.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Chad Lechan

Your firewall rule is redundant. You will want to consult #2 in Rulz (last updated 2021-02-16).

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel