Re: [gentoo-security] If your interested - gentoo-security

From:	Brian Micek <bmicek@×××××××××.net>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] If your interested
Date:	Mon, 10 Oct 2005 06:52:40
Message-Id:	`1128926851.25181.75.camel@localhost.localdomain`
In Reply to:	Re: [gentoo-security] If your interested by Dave Strydom

1

Does anyone have a grasp on what the geolocarion data is for the

2

iptables country code option?

3

Thanks,

4

Brian 

5

6

On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote:

7

8

> It's part of the iptables patch-o-matic

9

>

10

> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

11

>

12

> It's a little mission to install it, but it's worth it and makes

13

> blocking stuff a hell of a lot eaiser.

14

>

15

>

16

> download the latest patch-o-matic-ng-XXXXXX.tar.gz

17

> add extensions to your /etc/make.conf USE flags

18

>

19

> ----------------------

20

> cd /usr/src

21

> tar -xvjpf iptables-1.3.2.tar.bz2

22

> mv iptables-1.3.2 iptables

23

> tar xfz patch-o-matic-ng-XXXXXX.tar.gz

24

> cd patch-o-matic-ng

25

> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip

26

> ------------------------

27

>

28

> Then recompile your kernel with the geoip support (it will be in your

29

> iptables section of the kernel at the bottom)

30

> Reboot to use the new kernel

31

>

32

> ------------------------

33

> cd /usr/src

34

> mv iptables iptables-1.3.2

35

> tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2

36

> mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/

37

> cd /usr/portage/net-firewall/iptables

38

> ebuild iptables-1.3.2.ebuild digest

39

> emerge iptables

40

> ------------------------

41

>

42

> and thats it, some examples on how to use it can be found here:

43

>

44

> http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html

45

>

46

>

47

> I found this patch very VERY useful for our mail server, in South

48

> Africa, bandwidth is expensive.. very expensive, by happy if you have

49

> a 10MB connection, since 64K international bandwidth costs about R6000

50

> ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is

51

> around R700 ($110) per 64K chunk.

52

> So the problem we had was that all incoming mail from overseas was

53

> clogging up our international bandwidth, so by using this geoip patch

54

> i have this in my firewall:

55

>

56

> $IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT

57

>

58

> In effect, this would stop any and all international mail servers

59

> outside of south africa from connecting to mine.

60

>

61

> So what happens to all international mail? well simple, you add two MX

62

> records (mail records) for each domain.

63

>

64

> so like:

65

>

66

> whatever.com         IN MX 10   smtp.whatever.com.

67

>                             IN MX 20   smtp2.whatever.com.

68

>

69

> Because all mail fails to connect to the MX 10, it will fallback onto

70

> the MX 20.

71

>

72

> This way i am about to virus and spam scan all international mail

73

> overseas, and then I forward on only the clean messages (you can

74

> either open a hole in your firewall to allow this server to connect,

75

> or setup a vpn between them)

76

>

77

> ----------------------------------------------------------------------------------------

78

>

79

>

80

>

81

> On 10/10/05, Elisamuel Resto <user00265@×××××.com> wrote:

82

>

83

>         I just wonder where this patch resides? and for which version

84

>         what version it applies and such... I saw it in a earlier post

85

>         but it got lost somewhere in my inbox. Anybody care to post

86

>         it?

87

>

88

>         Thanks.

89

>

90

>

91

>         On 10/10/05, Dave Strydom <strydom.dave@×××××.com> wrote:

92

>

93

>                 I think there is an easier way of doing this...

94

>

95

>                 Why not use the GEOIP IPTABLES patch and then just use

96

>                 this in your firewall:

97

>

98

>                 -----------------------------------------------------------------------------------------

99

>                 $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP

100

>                 $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP

101

>                 $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP

102

>                 $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP

103

>                 -----------------------------------------------------------------------------------------

104

>

105

>                 This way you have 4 simple rules which do the work of

106

>                 that entire script.

107

>

108

>

109

>                 On 10/10/05, Taka John Brunkhorst <antiwmac@×××××.com>

110

>                 wrote:

111

>

112

>                         nice but why do we need to block them?

113

>                         ssh worms? or just lamers?

114

>

115

>                         --

116

>                         antiwmac@×××××.com

117

>                         Taka John Brunkhorst

118

>

119

>

120

>

121

>

122

>

123

>

124

>

Gentoo Archives: gentoo-security

Attachments

Replies

1	Does anyone have a grasp on what the geolocarion data is for the
2	iptables country code option?
3	Thanks,
4	Brian
5
6	On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote:
7
8	> It's part of the iptables patch-o-matic
9	>
10	> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
11	>
12	> It's a little mission to install it, but it's worth it and makes
13	> blocking stuff a hell of a lot eaiser.
14	>
15	>
16	> download the latest patch-o-matic-ng-XXXXXX.tar.gz
17	> add extensions to your /etc/make.conf USE flags
18	>
19	> ----------------------
20	> cd /usr/src
21	> tar -xvjpf iptables-1.3.2.tar.bz2
22	> mv iptables-1.3.2 iptables
23	> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
24	> cd patch-o-matic-ng
25	> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
26	> ------------------------
27	>
28	> Then recompile your kernel with the geoip support (it will be in your
29	> iptables section of the kernel at the bottom)
30	> Reboot to use the new kernel
31	>
32	> ------------------------
33	> cd /usr/src
34	> mv iptables iptables-1.3.2
35	> tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2
36	> mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/
37	> cd /usr/portage/net-firewall/iptables
38	> ebuild iptables-1.3.2.ebuild digest
39	> emerge iptables
40	> ------------------------
41	>
42	> and thats it, some examples on how to use it can be found here:
43	>
44	> http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html
45	>
46	>
47	> I found this patch very VERY useful for our mail server, in South
48	> Africa, bandwidth is expensive.. very expensive, by happy if you have
49	> a 10MB connection, since 64K international bandwidth costs about R6000
50	> ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is
51	> around R700 ($110) per 64K chunk.
52	> So the problem we had was that all incoming mail from overseas was
53	> clogging up our international bandwidth, so by using this geoip patch
54	> i have this in my firewall:
55	>
56	> $IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT
57	>
58	> In effect, this would stop any and all international mail servers
59	> outside of south africa from connecting to mine.
60	>
61	> So what happens to all international mail? well simple, you add two MX
62	> records (mail records) for each domain.
63	>
64	> so like:
65	>
66	> whatever.com IN MX 10 smtp.whatever.com.
67	> IN MX 20 smtp2.whatever.com.
68	>
69	> Because all mail fails to connect to the MX 10, it will fallback onto
70	> the MX 20.
71	>
72	> This way i am about to virus and spam scan all international mail
73	> overseas, and then I forward on only the clean messages (you can
74	> either open a hole in your firewall to allow this server to connect,
75	> or setup a vpn between them)
76	>
77	> ----------------------------------------------------------------------------------------
78	>
79	>
80	>
81	> On 10/10/05, Elisamuel Resto <user00265@×××××.com> wrote:
82	>
83	> I just wonder where this patch resides? and for which version
84	> what version it applies and such... I saw it in a earlier post
85	> but it got lost somewhere in my inbox. Anybody care to post
86	> it?
87	>
88	> Thanks.
89	>
90	>
91	> On 10/10/05, Dave Strydom <strydom.dave@×××××.com> wrote:
92	>
93	> I think there is an easier way of doing this...
94	>
95	> Why not use the GEOIP IPTABLES patch and then just use
96	> this in your firewall:
97	>
98	> -----------------------------------------------------------------------------------------
99	> $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
100	> $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
101	> $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
102	> $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
103	> -----------------------------------------------------------------------------------------
104	>
105	> This way you have 4 simple rules which do the work of
106	> that entire script.
107	>
108	>
109	> On 10/10/05, Taka John Brunkhorst <antiwmac@×××××.com>
110	> wrote:
111	>
112	> nice but why do we need to block them?
113	> ssh worms? or just lamers?
114	>
115	> --
116	> antiwmac@×××××.com
117	> Taka John Brunkhorst
118	>
119	>
120	>
121	>
122	>
123	>
124	>