Gentoo Linux -- List Archive: gentoo-security

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647

List Archive: gentoo-security

Navigation:

Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >

Headers:

To:	gentoo-security@g.o
From:	Brian Micek <bmicek@...>
Subject:	Re: If your interested
Date:	Mon, 10 Oct 2005 02:47:31 -0400

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Does anyone have a grasp on what the geolocarion data is for the iptables country code option?<BR>
Thanks,<BR>
Brian <BR>
<BR>
On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
    <FONT COLOR="#000000">It's part of the iptables patch-o-matic</FONT><BR>
    <BR>
    <FONT COLOR="#000000"><A HREF="http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/">http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/</A></FONT><BR>
    <BR>
    <FONT COLOR="#000000">It's a little mission to install it, but it's worth it and makes blocking stuff a hell of a lot eaiser.</FONT><BR>
    <BR>
    <BR>
    <FONT COLOR="#000000">download the latest patch-o-matic-ng-XXXXXX.tar.gz</FONT><BR>
    <FONT COLOR="#000000">add extensions to your /etc/make.conf USE flags</FONT><BR>
    <BR>
    <FONT COLOR="#000000">----------------------</FONT><BR>
    <FONT COLOR="#000000">cd /usr/src</FONT><BR>
    <FONT COLOR="#000000">tar -xvjpf iptables-1.3.2.tar.bz2</FONT><BR>
    <FONT COLOR="#000000">mv iptables-1.3.2 iptables</FONT><BR>
    <FONT COLOR="#000000">tar xfz patch-o-matic-ng-XXXXXX.tar.gz</FONT><BR>
    <FONT COLOR="#000000">cd patch-o-matic-ng</FONT><BR>
    <FONT COLOR="#000000">IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip</FONT><BR>
    <FONT COLOR="#000000">------------------------</FONT><BR>
    <BR>
    <FONT COLOR="#000000">Then recompile your kernel with the geoip support (it will be in your iptables section of the kernel at the bottom)</FONT><BR>
    <FONT COLOR="#000000">Reboot to use the new kernel</FONT><BR>
    <BR>
    <FONT COLOR="#000000">------------------------</FONT><BR>
    <FONT COLOR="#000000">cd /usr/src</FONT><BR>
    <FONT COLOR="#000000">mv iptables iptables-1.3.2</FONT><BR>
    <FONT COLOR="#000000">tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2</FONT><BR>
    <FONT COLOR="#000000">mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/</FONT><BR>
    <FONT COLOR="#000000">cd /usr/portage/net-firewall/iptables</FONT><BR>
    <FONT COLOR="#000000">ebuild iptables-1.3.2.ebuild digest</FONT><BR>
    <FONT COLOR="#000000">emerge iptables</FONT><BR>
    <FONT COLOR="#000000">------------------------</FONT><BR>
    <BR>
    <FONT COLOR="#000000">and thats it, some examples on how to use it can be found here:</FONT><BR>
    <BR>
    <FONT COLOR="#000000"><A HREF="http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html">http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html</A></FONT><BR>
    <BR>
    <BR>
    <FONT COLOR="#000000">I found this patch very VERY useful for our mail server, in South Africa, bandwidth is expensive.. very expensive, by happy if you have a 10MB connection, since 64K international bandwidth costs about R6000 ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is around R700 ($110) per 64K chunk.</FONT><BR>
    <FONT COLOR="#000000">So the problem we had was that all incoming mail from overseas was clogging up our international bandwidth, so by using this geoip patch i have this in my firewall:</FONT><BR>
    <BR>
    <FONT COLOR="#000000">$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT</FONT><BR>
    <BR>
    <FONT COLOR="#000000">In effect, this would stop any and all international mail servers outside of south africa from connecting to mine.</FONT><BR>
    <BR>
    <FONT COLOR="#000000">So what happens to all international mail? well simple, you add two MX records (mail records) for each domain.</FONT><BR>
    <BR>
    <FONT COLOR="#000000">so like:</FONT><BR>
    <BR>
    <FONT COLOR="#000000"><A HREF="http://whatever.com">whatever.com</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN MX 10&nbsp;&nbsp; <A HREF="http://smtp.whatever.com">smtp.whatever.com</A>.</FONT><BR>
    <FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN MX 20&nbsp;&nbsp; <A HREF="http://smtp2.whatever.com">smtp2.whatever.com</A>.</FONT><BR>
    <BR>
    <FONT COLOR="#000000">Because all mail fails to connect to the MX 10, it will fallback onto the MX 20.</FONT><BR>
    <BR>
    <FONT COLOR="#000000">This way i am about to virus and spam scan all international mail overseas, and then I forward on only the clean messages (you can either open a hole in your firewall to allow this server to connect, or setup a vpn between them)</FONT><BR>
    <BR>
    <FONT COLOR="#000000">----------------------------------------------------------------------------------------</FONT><BR>
    <BR>
    <BR>
    <BR>
    <FONT COLOR="#000000">On 10/10/05, </FONT><FONT COLOR="#000000"><B>Elisamuel Resto</B></FONT><FONT COLOR="#000000"> &lt;<A HREF="mailto:user00265@...">user00265@...</A>&gt; wrote:</FONT><BR>
    <BLOCKQUOTE>
        <FONT COLOR="#000000">I just wonder where this patch resides? and for which version what version it applies and such... I saw it in a earlier post but it got lost somewhere in my inbox. Anybody care to post it?</FONT><BR>
        <BR>
        <FONT COLOR="#000000">Thanks.</FONT><BR>
        <BR>
        <BR>
        <FONT COLOR="#000000">On 10/10/05, </FONT><FONT COLOR="#000000"><B>Dave Strydom</B></FONT><FONT COLOR="#000000"> &lt;<A HREF="mailto:strydom.dave@...">strydom.dave@...</A>&gt; wrote:</FONT><BR>
        <BLOCKQUOTE>
            <FONT COLOR="#000000">I think there is an easier way of doing this...</FONT><BR>
            <BR>
            <FONT COLOR="#000000">Why not use the GEOIP IPTABLES patch and then just use this in your firewall:</FONT><BR>
            <BR>
            <FONT COLOR="#000000">-----------------------------------------------------------------------------------------</FONT><BR>
            <FONT COLOR="#000000">$IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP</FONT><BR>
            <FONT COLOR="#000000">$IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP</FONT><BR>
            <FONT COLOR="#000000">$IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP</FONT><BR>
            <FONT COLOR="#000000">$IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP</FONT><BR>
            <FONT COLOR="#000000">-----------------------------------------------------------------------------------------</FONT><BR>
            <BR>
            <FONT COLOR="#000000">This way you have 4 simple rules which do the work of that entire script.</FONT><BR>
            <BR>
            <BR>
            <FONT COLOR="#000000">On 10/10/05, </FONT><FONT COLOR="#000000"><B>Taka John Brunkhorst</B></FONT><FONT COLOR="#000000"> &lt;<A HREF="mailto:antiwmac@...">antiwmac@...</A>&gt; wrote:</FONT><BR>
            <BLOCKQUOTE>
                <FONT COLOR="#000000">nice but why do we need to block them?</FONT><BR>
                <FONT COLOR="#000000">ssh worms? or just lamers?</FONT><BR>
                <BR>
                <FONT COLOR="#000000">-- </FONT><BR>
                <FONT COLOR="#000000"><A HREF="mailto:antiwmac@...">antiwmac@...</A></FONT><BR>
                <FONT COLOR="#000000">Taka John Brunkhorst</FONT><BR>
            </BLOCKQUOTE>
            <BR>
        </BLOCKQUOTE>
        <BR>
        <BR>
    </BLOCKQUOTE>
    <BR>
</BLOCKQUOTE>
</BODY>
</HTML>