Lookup "geofence" and see if you can get any good results for what you're trying to achieve. I am doing things at two different levels : the firewall, and the MTA (postfix).
1/ At the firewall level With shorewall, it's as simple as giving the country codes (US, CN, FR, CA...) you want to let in or block. My firewall's policy is to deny all access from outside except for what I explicitly authorize in the rules Policy file looks like this $FW net ACCEPT net $FW DROP INFO Which reads : from firewall to internet : accept all. From internet to firewall, drop and log. Now I can put the exceptions in the rules file : #ACTION SOURCE DEST PROTO DEST PORTS ?SECTION NEW ACCEPT net:192.168.0.0/16 $FW all ACCEPT net:172.16.0.0/12 $FW all ACCEPT net:10.10.10.0/24 $FW all ACCEPT net:^[DZ,US,TN] $FW all ACCEPT net $FW tcp $sshport,25,80,443 Which reads : lines 1-3 : create an exception for incoming connection from the LAN ; line 4 create an exception for countries DZ US TN, last line is an exception for SMTP, HTTP and HTTPS. For this geofence to work you need 1- a specific kernel module that allows iptables to use geoip for its filtering capabilites2- to download the database of IPs (a provided tool does that for you, but it might not work) The detailed procedure is explained in this page from my personal wiki https://ychaouche.informatick.net/shorewallcountrybasedacls 2/ At the postfix level I have a specific map to reject senders which contains the qq.com and another domain root@messagerie[10.10.10.19] ~ # cat /etc/postfix/maps/reject_senders qq.com REJECT uscourtsgov.com REJECT root@messagerie[10.10.10.19] ~ # This map file is given to the smtpd_sender_restrictions configuration option, with check_sender_access as the configured restriction, like so : root@messagerie[10.10.10.19] ~ # grep /etc/postfix/maps/reject_senders /etc/postfix/main.cf smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/maps/reject_senders root@messagerie[10.10.10.19] ~ # Yasine.
