Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Dave Strydom <strydom.dave@...>
Subject: Re: If your interested
Date: Mon, 10 Oct 2005 08:06:49 +0200
It's part of the iptables patch-o-matic<br>
<br>
<a href="http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/">http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/</a><br>
<br>
It's a little mission to install it, but it's worth it and makes blocking stuff a hell of a lot eaiser.<br>
<br>
<br>
download the latest patch-o-matic-ng-XXXXXX.tar.gz<br>
add extensions to your /etc/make.conf USE flags<br>
<br>
----------------------<br>
cd /usr/src<br>
tar -xvjpf iptables-1.3.2.tar.bz2<br>
mv iptables-1.3.2 iptables<span style="font-family: monospace;"><br>
</span>tar xfz patch-o-matic-ng-XXXXXX.tar.gz<br>
cd patch-o-matic-ng<span style="font-family: monospace;"><br>
</span>IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip<br>
------------------------<br>
<br>
Then recompile your kernel with the geoip support (it will be in your iptables section of the kernel at the bottom)<br>
Reboot to use the new kernel<br>
<br>
------------------------<br>
cd /usr/src<br>
mv iptables iptables-1.3.2<br>
tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2<br>
mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/<br>
cd /usr/portage/net-firewall/iptables<br>
ebuild iptables-1.3.2.ebuild digest<br>
emerge iptables<br>
------------------------<br>
<br>
and thats it, some examples on how to use it can be found here:<br>
<br>
<a href="http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html">http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html</a><br>
<br>
<br>I found this patch very VERY useful for our mail server, in South
Africa, bandwidth is expensive.. very expensive, by happy if you have a
10MB connection, since 64K international bandwidth costs about R6000
($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is
around R700 ($110) per 64K chunk.<br>
So the problem we had was that all incoming mail from overseas was
clogging up our international bandwidth, so by using this geoip patch i
have this in my firewall:<br>
<br>
$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT<br>
<br>
In effect, this would stop any and all international mail servers outside of south africa from connecting to mine.<br>
<br>
So what happens to all international mail? well simple, you add two MX records (mail records) for each domain.<br>
<br>
so like:<br>
<br>
<a href="http://whatever.com">whatever.com</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN MX 10&nbsp;&nbsp; <a href="http://smtp.whatever.com">smtp.whatever.com</a>.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN MX 20&nbsp;&nbsp; <a href="http://smtp2.whatever.com">smtp2.whatever.com</a>.<br>
<br>
Because all mail fails to connect to the MX 10, it will fallback onto the MX 20.<br>
<br>
This way i am about to virus and spam scan all international mail
overseas, and then I forward on only the clean messages (you can either
open a hole in your firewall to allow this server to connect, or setup
a vpn between them)<br>
<br>
----------------------------------------------------------------------------------------<br>
<br>
<br>
<br><div><span class="gmail_quote">On 10/10/05, <b class="gmail_sendername">Elisamuel Resto</b> &lt;<a href="mailto:user00265@...">user00265@...</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I just wonder where this patch resides? and for which version what
version it applies and such... I saw it in a earlier post but it got
lost somewhere in my inbox. Anybody care to post it?<br>
<br>
Thanks.<div><span class="e" id="q_106d911146574446_1"><br><br><div><span class="gmail_quote">On 10/10/05, <b class="gmail_sendername">Dave Strydom</b> &lt;<a href="mailto:strydom.dave@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
strydom.dave@...</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think there is an easier way of doing this...<br>
<br>
Why not use the GEOIP IPTABLES patch and then just use this in your firewall:<br>
<br>
-----------------------------------------------------------------------------------------<br>
$IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP<br>
$IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP<br>
$IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP<br>
$IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP<br>-----------------------------------------------------------------------------------------<br>
<br>
This way you have 4 simple rules which do the work of that entire script.<br>
<br>
<br><div><span class="gmail_quote">On 10/10/05, <b class="gmail_sendername">Taka John Brunkhorst</b> &lt;<a href="mailto:antiwmac@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">antiwmac@...
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
nice but why do we need to block them?<br>
ssh worms? or just lamers?<br clear="all"><br>-- <br><a href="mailto:antiwmac@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">antiwmac@...</a><br><span>Taka John Brunkhorst

</span></blockquote></div><br>

</blockquote></div><br>

</span></div></blockquote></div><br>
Replies:
Re: If your interested
-- Brian Micek
References:
If your interested
-- Brian Micek
Re: If your interested
-- RADDS Support Team
Re: If your interested
-- Craig
Re: If your interested
-- Brian Micek
Re: If your interested
-- Taka John Brunkhorst
Re: If your interested
-- Dave Strydom
Re: If your interested
-- Elisamuel Resto
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: If your interested
Next by thread:
Re: If your interested
Previous by date:
Re: If your interested
Next by date:
Re: If your interested


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.