1 |
Does anyone have a grasp on what the geolocarion data is for the |
2 |
iptables country code option? |
3 |
Thanks, |
4 |
Brian |
5 |
|
6 |
On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote: |
7 |
|
8 |
> It's part of the iptables patch-o-matic |
9 |
> |
10 |
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ |
11 |
> |
12 |
> It's a little mission to install it, but it's worth it and makes |
13 |
> blocking stuff a hell of a lot eaiser. |
14 |
> |
15 |
> |
16 |
> download the latest patch-o-matic-ng-XXXXXX.tar.gz |
17 |
> add extensions to your /etc/make.conf USE flags |
18 |
> |
19 |
> ---------------------- |
20 |
> cd /usr/src |
21 |
> tar -xvjpf iptables-1.3.2.tar.bz2 |
22 |
> mv iptables-1.3.2 iptables |
23 |
> tar xfz patch-o-matic-ng-XXXXXX.tar.gz |
24 |
> cd patch-o-matic-ng |
25 |
> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip |
26 |
> ------------------------ |
27 |
> |
28 |
> Then recompile your kernel with the geoip support (it will be in your |
29 |
> iptables section of the kernel at the bottom) |
30 |
> Reboot to use the new kernel |
31 |
> |
32 |
> ------------------------ |
33 |
> cd /usr/src |
34 |
> mv iptables iptables-1.3.2 |
35 |
> tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2 |
36 |
> mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/ |
37 |
> cd /usr/portage/net-firewall/iptables |
38 |
> ebuild iptables-1.3.2.ebuild digest |
39 |
> emerge iptables |
40 |
> ------------------------ |
41 |
> |
42 |
> and thats it, some examples on how to use it can be found here: |
43 |
> |
44 |
> http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html |
45 |
> |
46 |
> |
47 |
> I found this patch very VERY useful for our mail server, in South |
48 |
> Africa, bandwidth is expensive.. very expensive, by happy if you have |
49 |
> a 10MB connection, since 64K international bandwidth costs about R6000 |
50 |
> ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is |
51 |
> around R700 ($110) per 64K chunk. |
52 |
> So the problem we had was that all incoming mail from overseas was |
53 |
> clogging up our international bandwidth, so by using this geoip patch |
54 |
> i have this in my firewall: |
55 |
> |
56 |
> $IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT |
57 |
> |
58 |
> In effect, this would stop any and all international mail servers |
59 |
> outside of south africa from connecting to mine. |
60 |
> |
61 |
> So what happens to all international mail? well simple, you add two MX |
62 |
> records (mail records) for each domain. |
63 |
> |
64 |
> so like: |
65 |
> |
66 |
> whatever.com IN MX 10 smtp.whatever.com. |
67 |
> IN MX 20 smtp2.whatever.com. |
68 |
> |
69 |
> Because all mail fails to connect to the MX 10, it will fallback onto |
70 |
> the MX 20. |
71 |
> |
72 |
> This way i am about to virus and spam scan all international mail |
73 |
> overseas, and then I forward on only the clean messages (you can |
74 |
> either open a hole in your firewall to allow this server to connect, |
75 |
> or setup a vpn between them) |
76 |
> |
77 |
> ---------------------------------------------------------------------------------------- |
78 |
> |
79 |
> |
80 |
> |
81 |
> On 10/10/05, Elisamuel Resto <user00265@×××××.com> wrote: |
82 |
> |
83 |
> I just wonder where this patch resides? and for which version |
84 |
> what version it applies and such... I saw it in a earlier post |
85 |
> but it got lost somewhere in my inbox. Anybody care to post |
86 |
> it? |
87 |
> |
88 |
> Thanks. |
89 |
> |
90 |
> |
91 |
> On 10/10/05, Dave Strydom <strydom.dave@×××××.com> wrote: |
92 |
> |
93 |
> I think there is an easier way of doing this... |
94 |
> |
95 |
> Why not use the GEOIP IPTABLES patch and then just use |
96 |
> this in your firewall: |
97 |
> |
98 |
> ----------------------------------------------------------------------------------------- |
99 |
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP |
100 |
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP |
101 |
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP |
102 |
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP |
103 |
> ----------------------------------------------------------------------------------------- |
104 |
> |
105 |
> This way you have 4 simple rules which do the work of |
106 |
> that entire script. |
107 |
> |
108 |
> |
109 |
> On 10/10/05, Taka John Brunkhorst <antiwmac@×××××.com> |
110 |
> wrote: |
111 |
> |
112 |
> nice but why do we need to block them? |
113 |
> ssh worms? or just lamers? |
114 |
> |
115 |
> -- |
116 |
> antiwmac@×××××.com |
117 |
> Taka John Brunkhorst |
118 |
> |
119 |
> |
120 |
> |
121 |
> |
122 |
> |
123 |
> |
124 |
> |