1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with script to control email bomb..

Discussion in 'Tomato Firmware' started by Toastman, Aug 24, 2008.

  1. Toastman

    Toastman Super Moderator Staff Member Member

    Can anyone help with this problem? I have a couple of users who I believe must have picked up email virus. Tomato QOS shows them to be making very large numbers of DNS lookups followed shortly afterwards by outgoing SMTP connections to port 25. This isn't the first time and it won't be the last, so I want to find a rule to cover anyone who does the same thing in the future.

    I'm looking for a way to allow "normal" SMTP to work with a high priority, but throttle or prevent the mail bombing.

    There are examples of scripts going around that purport to prevent users from opening more than a certain number of TCP connections and also restrict speed of opening UDP, but many of them don't seem to work in conjunction with Tomato's normal QOS rules. Can anyone offer any advice?

    Thanks!



    EDIT:

    To close this query, the following script can be used in admin/scripts/firewall:

    #Limit outgoing SMTP simultaneous connections to 10
    iptables -I FORWARD -p tcp --dport 25 -m connlimit --connlimit-above 10 -j DROP

    These others may also be useful:

    #Limit UDP from all users to 4 per second
    iptables -A FORWARD -p UDP -s 192.168.1.0/24 -m limit --limit 4/s -j ACCEPT

    #Limit UDP connections per user (actually this limits everything except TCP)
    iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.250 -p ! tcp -m connlimit --connlimit-above 50 -j DROP

    #Limit max TCP connections per user
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.10-192.168.1.250 -m connlimit --connlimit-above 250 -j DROP

    #Limit total TCP connections to 4000
    iptables -I FORWARD -p tcp --dport 1:65535 -m connlimit --connlimit-above 4000 -j DROP

    All tested and work OK with QOS
     
  2. fineghal

    fineghal LI Guru Member

    Have you tried giving the smtp port Low or Lowest priority for over say 10k+?

    I recall there being an example about that in the QOS...

    You could also use the 1.21 Tzepnek (sp?) mod - it has a per IP qos and monitoring option. Hope something helps - or at least gives you an idea!
     
  3. Toastman

    Toastman Super Moderator Staff Member Member

    Thanks fineghal

    If I throttle by priority and only allowed <10K, then it would also affect normal mail useage, which is important. The problem with the individual IP bandwidth restrictions (Victek Mod), which would otherwise be a good answer, is that this is effectively a "different" set of rules for the QOS system, which don't work properly with the existing ones.

    I did try, but it's unpredictable and I don't know how to use it in conjunction with existing QOS - if it's possible. It is also restricted in the number of users, so cannot be applied in a way that will work "unsupervised" on 80 users :frown:.
     
  4. fineghal

    fineghal LI Guru Member

    Another thought - iptables? It seems like iptables -limit would do the trick. Set either the IP and/or smtp port.

    limit by burst or by time. I'd suggest limiting to what the other user's average is.
     
  5. Toastman

    Toastman Super Moderator Staff Member Member

    Scripts to limit mail connections, max connections, etc

    Sorted ...... after many hours of headscratching...:wall:

    #Limit outgoing SMTP simultaneous connections to 10
    iptables -I FORWARD -p tcp --dport 25 -m connlimit --connlimit-above 10 -j DROP

    (in Firewall script box).


    These others may also be useful:

    #Limit UDP from all users to 4 per second
    iptables -A FORWARD -p UDP -s 192.168.1.0/24 -m limit --limit 4/s -j ACCEPT

    #Limit UDP connections per user (actually limits everything except TCP)
    iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.250 -p ! tcp -m connlimit --connlimit-above 50 -j DROP

    #Limit max TCP connections per user
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.10-192.168.1.250 -m connlimit --connlimit-above 250 -j DROP

    #Limit total TCP connections to 4000
    iptables -I FORWARD -p tcp --dport 1:65535 -m connlimit --connlimit-above 4000 -j DROP

    All tested and work OK with QOS
     

Share This Page