1 |
It's part of the iptables patch-o-matic |
2 |
|
3 |
http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ |
4 |
|
5 |
It's a little mission to install it, but it's worth it and makes blocking |
6 |
stuff a hell of a lot eaiser. |
7 |
|
8 |
|
9 |
download the latest patch-o-matic-ng-XXXXXX.tar.gz |
10 |
add extensions to your /etc/make.conf USE flags |
11 |
|
12 |
---------------------- |
13 |
cd /usr/src |
14 |
tar -xvjpf iptables-1.3.2.tar.bz2 |
15 |
mv iptables-1.3.2 iptables |
16 |
tar xfz patch-o-matic-ng-XXXXXX.tar.gz |
17 |
cd patch-o-matic-ng |
18 |
IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip |
19 |
------------------------ |
20 |
|
21 |
Then recompile your kernel with the geoip support (it will be in your |
22 |
iptables section of the kernel at the bottom) |
23 |
Reboot to use the new kernel |
24 |
|
25 |
------------------------ |
26 |
cd /usr/src |
27 |
mv iptables iptables-1.3.2 |
28 |
tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2 |
29 |
mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/ |
30 |
cd /usr/portage/net-firewall/iptables |
31 |
ebuild iptables-1.3.2.ebuild digest |
32 |
emerge iptables |
33 |
------------------------ |
34 |
|
35 |
and thats it, some examples on how to use it can be found here: |
36 |
|
37 |
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html |
38 |
|
39 |
|
40 |
I found this patch very VERY useful for our mail server, in South Africa, |
41 |
bandwidth is expensive.. very expensive, by happy if you have a 10MB |
42 |
connection, since 64K international bandwidth costs about R6000 ($950) |
43 |
per/month (thats per 64K chuck of bandwidth) Local bandwidth is around R700 |
44 |
($110) per 64K chunk. |
45 |
So the problem we had was that all incoming mail from overseas was clogging |
46 |
up our international bandwidth, so by using this geoip patch i have this in |
47 |
my firewall: |
48 |
|
49 |
$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT |
50 |
|
51 |
In effect, this would stop any and all international mail servers outside of |
52 |
south africa from connecting to mine. |
53 |
|
54 |
So what happens to all international mail? well simple, you add two MX |
55 |
records (mail records) for each domain. |
56 |
|
57 |
so like: |
58 |
|
59 |
whatever.com <http://whatever.com> IN MX 10 |
60 |
smtp.whatever.com<http://smtp.whatever.com> |
61 |
. |
62 |
IN MX 20 smtp2.whatever.com <http://smtp2.whatever.com>. |
63 |
|
64 |
Because all mail fails to connect to the MX 10, it will fallback onto the MX |
65 |
20. |
66 |
|
67 |
This way i am about to virus and spam scan all international mail overseas, |
68 |
and then I forward on only the clean messages (you can either open a hole in |
69 |
your firewall to allow this server to connect, or setup a vpn between them) |
70 |
|
71 |
---------------------------------------------------------------------------------------- |
72 |
|
73 |
|
74 |
|
75 |
On 10/10/05, Elisamuel Resto <user00265@×××××.com> wrote: |
76 |
> |
77 |
> I just wonder where this patch resides? and for which version what version |
78 |
> it applies and such... I saw it in a earlier post but it got lost somewhere |
79 |
> in my inbox. Anybody care to post it? |
80 |
> |
81 |
> Thanks. |
82 |
> |
83 |
> On 10/10/05, Dave Strydom <strydom.dave@×××××.com> wrote: |
84 |
> > |
85 |
> > I think there is an easier way of doing this... |
86 |
> > |
87 |
> > Why not use the GEOIP IPTABLES patch and then just use this in your |
88 |
> > firewall: |
89 |
> > |
90 |
> > |
91 |
> > ----------------------------------------------------------------------------------------- |
92 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP |
93 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP |
94 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP |
95 |
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP |
96 |
> > |
97 |
> > ----------------------------------------------------------------------------------------- |
98 |
> > |
99 |
> > This way you have 4 simple rules which do the work of that entire |
100 |
> > script. |
101 |
> > |
102 |
> > |
103 |
> > On 10/10/05, Taka John Brunkhorst <antiwmac@×××××.com > wrote: |
104 |
> > > |
105 |
> > > nice but why do we need to block them? |
106 |
> > > ssh worms? or just lamers? |
107 |
> > > |
108 |
> > > -- |
109 |
> > > antiwmac@×××××.com |
110 |
> > > Taka John Brunkhorst |
111 |
> > |
112 |
> > |
113 |
> > |
114 |
> |