We are getting a huge SMTP attack from a number of IPs. I've gone ahead and created a DNAT rule that sends them to a blackhole address, but I'm not understanding why exim is still receiving the TCP connection, if I have everything set correctly. Shouldn't the NAT rule precede the proxy connection, according to the Rulz?
do you have one external IP address or other second external IP addresses? If there are more than the primary, please include the other external IPs to your DNAT rule.
Thank you for reaching out to the community!
If the DNAT rule is working then you shouldn't see the IP hit the sxim.
Can you confirm your DNAT rule is correct, maybe provide a screenshot if possible.
Yeah, I put the entire subnet into the "Going to," so the NAT rule is picking it up on each IP.
The solution proposed here worked. The suggestion to break out all of the external interfaces individually into a network group and enter that into "Going to" proved to be the solution. Before I was using the subnet of the internet provider, and that did not catch all; although I not sure why that didn't work. Anyways, problem solved. Thanks!