Hey Dave, That's one great script there. I will have to check for that ipdeny.com list - maybe I can also add it to shorewall somehow.
Cheers, Sebastian > On 16.07.2014, at 21:02, M <[email protected]> wrote: > > Hi list, recently i had a request for a VM for one of our qmailers. > > Subsequently , after deployment, we found the VM to be compromised, so > hackers got in before I could secure the qmail VM. > > I rebuilt the VM, and added " My " firewall rules , and sent it off again. No > probs this time. > I was asked if they could share the firewall rules, No probs, but I looked > for a way to block by country. > > Here is what I found, and modified for our qmail needs ( rules etc ) > Thanks go to the original script writer, I merely modified it. > > Firewall script , so you can block specific countries, eg China ( ISO cn ) > working as of July 16th 2014 > > ***No offense meant to any countries listed here, for demo purposes only*** > > Do a ISO country code look up for your needs > > Tested on qmail-Centos5, and qmail-Centos6. > > Should work an other iptables type firewalls > > Install & Setup. > *** Backup your existing firewall script. *** > Centos5 qmail install ( cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org ) > Centos6 qmail install ( cp /etc/sysconfig/iptables > /etc/sysconfig/iptables.org ) > > copy script to your server, make executable ( chmod +x country_block.sh ) > Edit file, and modify to your needs. > specific areas > ISO="af cn kr" > # Set your own ports you need , these are set for a standard qmail > install..remove 3306 if you dont do database sync`s > ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306 > #Set your subnet > ALLOWSUBNET=192.168.0.0/255.255.0.0 > > > Run script > ./country_block.sh > Wait until complete. > check it added the rules, iptables -L -n, you should see a whole bunch of " > countrydrop " lines > > Centos 5 Qmail installs > Save iptables to your /etc/rc.d/firewall.ruleset > /sbin/iptables-save > /etc/rc.d/firewall.ruleset > > Stop and start firewall > firewall down > firewall up > Check again iptables -L -n > > Centos 6 Qmail installs > Save iptables to your /etc/sysconfig/iptables > /sbin/iptables-save > /etc/sysconfig/iptables > > Some say this may cause slowness on the email server, I have not found that > to be the case. > Based on " My ruleset " ( thousands of entries ) I have been running the > rules for years. > > Dave M > > > > <country_block.sh> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected]
