| 1 |
It's part of the iptables patch-o-matic |
| 2 |
|
| 3 |
http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ |
| 4 |
|
| 5 |
It's a little mission to install it, but it's worth it and makes blocking |
| 6 |
stuff a hell of a lot eaiser. |
| 7 |
|
| 8 |
|
| 9 |
download the latest patch-o-matic-ng-XXXXXX.tar.gz |
| 10 |
add extensions to your /etc/make.conf USE flags |
| 11 |
|
| 12 |
---------------------- |
| 13 |
cd /usr/src |
| 14 |
tar -xvjpf iptables-1.3.2.tar.bz2 |
| 15 |
mv iptables-1.3.2 iptables |
| 16 |
tar xfz patch-o-matic-ng-XXXXXX.tar.gz |
| 17 |
cd patch-o-matic-ng |
| 18 |
IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip |
| 19 |
------------------------ |
| 20 |
|
| 21 |
Then recompile your kernel with the geoip support (it will be in your |
| 22 |
iptables section of the kernel at the bottom) |
| 23 |
Reboot to use the new kernel |
| 24 |
|
| 25 |
------------------------ |
| 26 |
cd /usr/src |
| 27 |
mv iptables iptables-1.3.2 |
| 28 |
tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2 |
| 29 |
mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/ |
| 30 |
cd /usr/portage/net-firewall/iptables |
| 31 |
ebuild iptables-1.3.2.ebuild digest |
| 32 |
emerge iptables |
| 33 |
------------------------ |
| 34 |
|
| 35 |
and thats it, some examples on how to use it can be found here: |
| 36 |
|
| 37 |
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html |
| 38 |
|
| 39 |
|
| 40 |
I found this patch very VERY useful for our mail server, in South Africa, |
| 41 |
bandwidth is expensive.. very expensive, by happy if you have a 10MB |
| 42 |
connection, since 64K international bandwidth costs about R6000 ($950) |
| 43 |
per/month (thats per 64K chuck of bandwidth) Local bandwidth is around R700 |
| 44 |
($110) per 64K chunk. |
| 45 |
So the problem we had was that all incoming mail from overseas was clogging |
| 46 |
up our international bandwidth, so by using this geoip patch i have this in |
| 47 |
my firewall: |
| 48 |
|
| 49 |
$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT |
| 50 |
|
| 51 |
In effect, this would stop any and all international mail servers outside of |
| 52 |
south africa from connecting to mine. |
| 53 |
|
| 54 |
So what happens to all international mail? well simple, you add two MX |
| 55 |
records (mail records) for each domain. |
| 56 |
|
| 57 |
so like: |
| 58 |
|
| 59 |
whatever.com <http://whatever.com> IN MX 10 |
| 60 |
smtp.whatever.com<http://smtp.whatever.com> |
| 61 |
. |
| 62 |
IN MX 20 smtp2.whatever.com <http://smtp2.whatever.com>. |
| 63 |
|
| 64 |
Because all mail fails to connect to the MX 10, it will fallback onto the MX |
| 65 |
20. |
| 66 |
|
| 67 |
This way i am about to virus and spam scan all international mail overseas, |
| 68 |
and then I forward on only the clean messages (you can either open a hole in |
| 69 |
your firewall to allow this server to connect, or setup a vpn between them) |
| 70 |
|
| 71 |
---------------------------------------------------------------------------------------- |
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
On 10/10/05, Elisamuel Resto <user00265@×××××.com> wrote: |
| 76 |
> |
| 77 |
> I just wonder where this patch resides? and for which version what version |
| 78 |
> it applies and such... I saw it in a earlier post but it got lost somewhere |
| 79 |
> in my inbox. Anybody care to post it? |
| 80 |
> |
| 81 |
> Thanks. |
| 82 |
> |
| 83 |
> On 10/10/05, Dave Strydom <strydom.dave@×××××.com> wrote: |
| 84 |
> > |
| 85 |
> > I think there is an easier way of doing this... |
| 86 |
> > |
| 87 |
> > Why not use the GEOIP IPTABLES patch and then just use this in your |
| 88 |
> > firewall: |
| 89 |
> > |
| 90 |
> > |
| 91 |
> > ----------------------------------------------------------------------------------------- |
| 92 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP |
| 93 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP |
| 94 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP |
| 95 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP |
| 96 |
> > |
| 97 |
> > ----------------------------------------------------------------------------------------- |
| 98 |
> > |
| 99 |
> > This way you have 4 simple rules which do the work of that entire |
| 100 |
> > script. |
| 101 |
> > |
| 102 |
> > |
| 103 |
> > On 10/10/05, Taka John Brunkhorst <antiwmac@×××××.com > wrote: |
| 104 |
> > > |
| 105 |
> > > nice but why do we need to block them? |
| 106 |
> > > ssh worms? or just lamers? |
| 107 |
> > > |
| 108 |
> > > -- |
| 109 |
> > > antiwmac@×××××.com |
| 110 |
> > > Taka John Brunkhorst |
| 111 |
> > |
| 112 |
> > |
| 113 |
> > |
| 114 |
> |
Archives