Re: [qmailtoaster] Re: Firewall

Thu, 17 Jul 2014 04:01:34 -0700 

A Heads Up warning on this script...
It is very good BUT if you use non standard ports
for anything make sure you account for them
before you load this thing up.

Thanks Dave.

best wishes
  Tony White


On 17/07/2014 06:33, M wrote:

corrected typo

*cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org***

Should be
*cp /etc/rc.d/firewall.ruleset /etc/rc.d/firewall.org*



On 7/16/2014 1:02 PM, M wrote:

Hi list*, *recently**i had a request for a VM for one of our qmailers.

Subsequently , after deployment, we found the VM to be compromised, so hackers 
got in before I could secure the qmail VM.

I rebuilt the VM, and added " My " firewall rules , and sent it off again. No 
probs this time.
I was asked if they could share the firewall rules, No probs, but I looked for 
a way to block by country.

Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.

Firewall script , so you can block specific countries, eg China ( ISO cn ) 
working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes only******

Do a ISO country code look up for your needs

*Tested on qmail-Centos5, and qmail-Centos6.*

Should work an other iptables type firewalls

*Install & Setup.*
***** Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset 
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables 
/etc/sysconfig/iptables.org* )

copy script to your server, make executable ( *chmod +x country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail 
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*


Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole bunch of " 
countrydrop " lines

_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*

Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*

_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*

Some say this may cause slowness on the email server, I have not found that to 
be the case.
Based on  " My ruleset " ( thousands of entries ) I have been running the rules 
for years.

Dave M

Reply via email to