Correct as per my mote, I also have non standard ports for ssh etc. “Edit file, and modify to your needs.”
From: Tony White Sent: Thursday, July 17, 2014 4:55 AM To: [email protected] Subject: Re: [qmailtoaster] Re: Firewall A Heads Up warning on this script... It is very good BUT if you use non standard ports for anything make sure you account for them before you load this thing up. Thanks Dave. best wishes Tony White On 17/07/2014 06:33, M wrote: corrected typo cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org Should be cp /etc/rc.d/firewall.ruleset /etc/rc.d/firewall.org On 7/16/2014 1:02 PM, M wrote: Hi list, recently i had a request for a VM for one of our qmailers. Subsequently , after deployment, we found the VM to be compromised, so hackers got in before I could secure the qmail VM. I rebuilt the VM, and added " My " firewall rules , and sent it off again. No probs this time. I was asked if they could share the firewall rules, No probs, but I looked for a way to block by country. Here is what I found, and modified for our qmail needs ( rules etc ) Thanks go to the original script writer, I merely modified it. Firewall script , so you can block specific countries, eg China ( ISO cn ) working as of July 16th 2014 ***No offense meant to any countries listed here, for demo purposes only*** Do a ISO country code look up for your needs Tested on qmail-Centos5, and qmail-Centos6. Should work an other iptables type firewalls Install & Setup. *** Backup your existing firewall script. *** Centos5 qmail install ( cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org ) Centos6 qmail install ( cp /etc/sysconfig/iptables /etc/sysconfig/iptables.org ) copy script to your server, make executable ( chmod +x country_block.sh ) Edit file, and modify to your needs. specific areas ISO="af cn kr" # Set your own ports you need , these are set for a standard qmail install..remove 3306 if you dont do database sync`s ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306 #Set your subnet ALLOWSUBNET=192.168.0.0/255.255.0.0 Run script ./country_block.sh Wait until complete. check it added the rules, iptables -L -n, you should see a whole bunch of " countrydrop " lines Centos 5 Qmail installs Save iptables to your /etc/rc.d/firewall.ruleset /sbin/iptables-save > /etc/rc.d/firewall.ruleset Stop and start firewall firewall down firewall up Check again iptables -L -n Centos 6 Qmail installs Save iptables to your /etc/sysconfig/iptables /sbin/iptables-save > /etc/sysconfig/iptables Some say this may cause slowness on the email server, I have not found that to be the case. Based on " My ruleset " ( thousands of entries ) I have been running the rules for years. Dave M
