Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 8 subscribers
  • Views 1609 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assistance with DNAT rule not working

Chad Lechan

Hello, there is someone spamming our email server and I blocked the IP in two ways in which I'll attach pictures of. One is a basic firewall rule to drop traffic from a list of spammer/hacker IPs. The other is a DNAT rule which takes that same list and is supposed to route the traffic to a random IP that has nothing to do with our network. When I look at the logs, the firewall rule appears to work but the DNAT rule is apparently ALLOWING the traffic to go through and I cannot for the life of me figure out why. I have these rules as high as they can go (firewall starts at 16 because of automatic rules before it). Nat rule #1 is the "black hole" rule and Nat rule #5 is any > smtp > our mail server > destination: our spam firewall. The "going to" IP is our WAN IP.  Something else I'm confused on too is that the blocked message from packet filter #16 seems to be the Nat rule because that's the rule that routes traffic to 240.0.0.0; the firewall rule is just set to drop obviously, but the logs seem to show the block coming from the firewall rule and not the NAT? I'm confused. Any ideas? Sorry I am by no means an expert on this device. 



This thread was automatically locked due to age.
Parents
  • 0

    looks ok ...

    first: the NAT rule #1 matches and redirect the traffic to 240.0.0.0 ... logged within the white lines

    next: this packed is dropped by Firewall Rule # 16 ... red line


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I obfuscated the picture of nat rule #1 IP because that's going to our WAN address

    this didn't stop the attacker as it kept hammering our spam firewall. it wasn't doing a lot of damage, just slowing down mail queues a bit but in the future I would want to just put in an IP and stop them from accessing our network entirely

  • 0 in reply to Chad Lechan

    ok,
    can't see the obfuscation. "external (Interface address)" should be ok.
    And "change destination" to a non-existing IP is OK too.

    Where is the problem?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    My goal is to block the IP and it wasn't fully blocked.  The logs show the NAT allowing the connection to go through.

  • 0 in reply to Chad Lechan

    NAT is processed before packet filter.

    DNAT to Black-Hole is like a "drop".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I guess I'm confused because packet filter rule #16 isn't a DNAT it's just supposed to drop the packets but the log shows it routing to 240.0.0.0 which is the DNAT. The NAT rule seemingly is allowing the connection to go to the our WAN IP. During the logs shown, the attacker was still hammering our spam firewall so it wasn't blocking him fully and I'm trying to find out why

Reply
  • 0 in reply to dirkkotte

    I guess I'm confused because packet filter rule #16 isn't a DNAT it's just supposed to drop the packets but the log shows it routing to 240.0.0.0 which is the DNAT. The NAT rule seemingly is allowing the connection to go to the our WAN IP. During the logs shown, the attacker was still hammering our spam firewall so it wasn't blocking him fully and I'm trying to find out why

Children
  • 0 in reply to Chad Lechan

    first: the DNAT rule #1 matches and redirect the traffic to 240.0.0.0 ... logged within the white lines --- here is no DROP/DENY possible ... and this doesn't allow the packet

    next: this packed is dropped by Firewall Rule # 16 ... red line --- because packetfilter is processed after DNAT the Packet has the new destination already.

    The connection should not reach any SMTP-service or Server.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Chad Lechan

    Your firewall rule is redundant.  You will want to consult #2 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML