Mail Server Nat issues

nuskope · Thu Aug 04, 2016 2:28 pm

Hi all,

im lost on this one, We have a client who i have removed their old modem and replaced with a Mikrotik because they where using something made in the 1700's
unfortunately i have a single problem with their locally hosted mail server.

I have all the NAT/Firewall rules setup, however, their mail server is getting lots of 'failed login' logs that seem to be originating form the router, rather than form the public IP address they are actally originating from.
They would like to see where the failed logins are coming from so they can block the addresses.

LOGS:
03 10:42:16,516 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 41. Login: anonymous
2016-08-03 10:42:17,026 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 42. Login: anonymous
2016-08-03 10:42:17,027 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 43. Login: anonymous
2016-08-03 10:42:17,027 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 44. Login: anonymous
2016-08-03 10:42:17,027 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 45. Login: anonymous
2016-08-03 10:42:17,593 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 46. Login: anonymous
2016-08-03 10:42:17,593 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 47. Login: anonymous
2016-08-03 10:42:18,609 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 48. Login: anonymous
2016-08-03 10:42:18,609 - Incorrect password attempted. IP Address: 10.0.1.1. Source: Smtp Server. Attempt number 49. Login: anonymous

my config

/ip firewall nat
add action=dst-nat chain=dstnat comment="Email server port forwarding" dst-address=119.40.xxx.xxx dst-port=25 protocol=tcp to-addresses=10.0.1.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=22 protocol=tcp to-addresses=10.0.1.5 to-ports=22
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=110 protocol=tcp to-addresses=10.0.1.5 to-ports=110
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=443 protocol=tcp to-addresses=10.0.1.5 to-ports=443
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=465 protocol=tcp to-addresses=10.0.1.5 to-ports=465
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=587 protocol=tcp to-addresses=10.0.1.5 to-ports=587
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=993 protocol=tcp to-addresses=10.0.1.5 to-ports=993
add action=dst-nat chain=dstnat dst-address=119.40.xxx.xxx dst-port=995 protocol=tcp to-addresses=10.0.1.5 to-ports=995
add action=redirect chain=dstnat comment="Dns redirect" dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53

add action=masquerade chain=srcnat comment="NAT rule"
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=10.0.1.5 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 protocol=udp to-addresses=10.0.1.5 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=10.0.1.5 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 protocol=udp to-addresses=10.0.1.5 to-ports=22

Cha0s · Thu Aug 04, 2016 2:38 pm

You need to change the masquerade rule to be more specific.

add action=masquerade chain=srcnat comment="NAT rule"

Right now it will masquerade everything passing through the router regardless of direction (in or out), interface, src/dst address.

You need to change the rule to masquerade only packets originating from the LAN and have outgoing interface your gateway/uplink.

This way only those packets will be masqueraded and not those coming from the internet to the mailserver.

Mail Server Nat issues

Mail Server Nat issues

Re: Mail Server Nat issues

Who is online