inline ubuntu firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Cncjerry

Member
Oct 16, 2021
38
3
8
I have a problem with my email server where I am getting hit by a bot out of Kiev (5.34.207.88) about once per second. In the 20yrs I've had this server I've not had an issue like this. Once blocked, they usually go away.

My comcast business class cable router doesn't have an integrated firewall as I had with ATT. My email server blocks the bot but it is slowing my email response time, filling the logs, etc. This is going on for a month or so. I tried to get comcast to block the address, sent emails to the IP networking company, etc.

My home media and cloud server (not email) runs ubuntu server 20.04. Currently it is entirely on my home 192.x.x.x network behind an ICX6610 switch. It has 4 open 1GE ports. Given this server is lightly loaded and has a bunch of open network interfaces, would I be able to use two of them for an inline firewall on my public IP address which is like 52.x.x.x?

Ideally, I would take a port off the comcast router, bring it into the ubuntu 20.04 on the 52.x.x.x network, filter the traffic, and then route it out another port to my dedicated email server.

Possible? Practical?

Thanks,

Jerry
 

elvisimprsntr

Active Member
May 9, 2021
149
65
28
Florida
Suggest taking control of your network by putting an open source enterprise class firewall between the Crapcast modem and your local network, and enable intrusion detection/prevention (pfBlockerNG, GeoIP blocking, Suricata, etc.). Put the Crapcast modem in passthru or bridge mode so the firewall gets assigned the ISP public WAN IP

pfSense® - World's Most Trusted Open Source Firewall


If you are relying on the Crapcast modem for wifi connectivity, you will be better off in the long run with a dedicated enterprise class access point.



Hopefully, you are not relying on the Crapcast modem for VoIP or IPTV
 
Last edited:

Sean Ho

seanho.com
Nov 19, 2019
768
352
63
Vancouver, BC
seanho.com
Yes, Linux or opnsense/pfsense would work just fine either in place of your ISP-provided router or as a supplement (with or without NAT, as desired).

If the offending traffic is from a stable IP, you could also block it with the ICX's ACLs.
 

Cncjerry

Member
Oct 16, 2021
38
3
8
So it took a lot of screwing around as I'm not familiar with the ICX6610 but I was able to apply an acl to the VE interface (if that is the right term) and it blocked it, woo hoo! I calculate that they hit me 2.5M times or more. What a pain in the butt, but now I know how to block the occasional bot. I appreciate the help there Sean, very good!

Jerry
 

Sean Ho

seanho.com
Nov 19, 2019
768
352
63
Vancouver, BC
seanho.com
Glad to hear you have a solution! Still worthwhile to consider opn/pfs at some point; lots of other things you can do with it, even just as a 1:1 firewall without any NAT.
 

Cncjerry

Member
Oct 16, 2021
38
3
8
thanks, yes, I looked at pfs and another tool and both are much more flexible than I needed for this issue. One of my engineers said he runs pfs on a Raspi based server, I think it is some type of parallel computing beast he built and he thought I should build one... I was like, "for one address?"

The problem started on 7/23 and ran every second for a month. Funny thing is if you look up that address above, you see it is registered in Kiev. I have no idea why it picked on me.

Mail servers are a real pain and had I known this would happen 20yrs ago, I would have had it hosted someplace. I see a new issue cropped up with ehlo [127.0.0.1] constantly from a number of addresses so I have to kill that one in the email server code tomorrow, which I thought I did a few years ago but now it is slipping by...

Thanks again.

Jerry
 

sko

Active Member
Jun 11, 2021
227
121
43
Or just use something like spamd that blacklists and tarpits such hosts.

Another solution would be a dedicated queue at the firewall with very low bandwidth and a logscanner like sshguard or fail2ban that puts offending IPs into that queue.
With Free/OpenBSD and PF this is easily done via tables. Should be possible with pf/OPNsense too, although the few times I had to deal with any of them, it is insanely complicated to get such simple stuff working as you are constantly fighting the GUI limitations...
 
  • Like
Reactions: ColdCanuck

Vesalius

Active Member
Nov 25, 2019
252
190
43
Crowdsec should work transparently for this sort of thing and has a relatively straightforward plugin on OPNsense.