Thanks,
Brian
On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote:
It's part of the iptables patch-o-matic
http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
It's a little mission to install it, but it's worth it and makes blocking stuff a hell of a lot eaiser.
download the latest patch-o-matic-ng-XXXXXX.tar.gz
add extensions to your /etc/make.conf USE flags
----------------------
cd /usr/src
tar -xvjpf iptables-1.3.2.tar.bz2
mv iptables-1.3.2 iptables
tar xfz patch-o-matic-ng-XXXXXX.tar.gz
cd patch-o-matic-ng
IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
------------------------
Then recompile your kernel with the geoip support (it will be in your iptables section of the kernel at the bottom)
Reboot to use the new kernel
------------------------
cd /usr/src
mv iptables iptables-1.3.2
tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2
mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/
cd /usr/portage/net-firewall/iptables
ebuild iptables-1.3.2.ebuild digest
emerge iptables
------------------------
and thats it, some examples on how to use it can be found here:
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html
I found this patch very VERY useful for our mail server, in South Africa, bandwidth is expensive.. very expensive, by happy if you have a 10MB connection, since 64K international bandwidth costs about R6000 ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is around R700 ($110) per 64K chunk.
So the problem we had was that all incoming mail from overseas was clogging up our international bandwidth, so by using this geoip patch i have this in my firewall:
$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT
In effect, this would stop any and all international mail servers outside of south africa from connecting to mine.
So what happens to all international mail? well simple, you add two MX records (mail records) for each domain.
so like:
whatever.com IN MX 10 smtp.whatever.com.
IN MX 20 smtp2.whatever.com.
Because all mail fails to connect to the MX 10, it will fallback onto the MX 20.
This way i am about to virus and spam scan all international mail overseas, and then I forward on only the clean messages (you can either open a hole in your firewall to allow this server to connect, or setup a vpn between them)
----------------------------------------------------------------------------------------
On 10/10/05, Elisamuel Resto <[EMAIL PROTECTED]> wrote:
I just wonder where this patch resides? and for which version what version it applies and such... I saw it in a earlier post but it got lost somewhere in my inbox. Anybody care to post it?
Thanks.
On 10/10/05, Dave Strydom <[EMAIL PROTECTED]> wrote:
I think there is an easier way of doing this...
Why not use the GEOIP IPTABLES patch and then just use this in your firewall:
-----------------------------------------------------------------------------------------
$IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
-----------------------------------------------------------------------------------------
This way you have 4 simple rules which do the work of that entire script.
On 10/10/05, Taka John Brunkhorst <[EMAIL PROTECTED]> wrote:
nice but why do we need to block them?
ssh worms? or just lamers?
--
[EMAIL PROTECTED]
Taka John Brunkhorst
signature.asc
Description: This is a digitally signed message part
