Yeah I saw that tar file they offer. I wanted to use it with chef and just feed shorewall some include files. Will see how it goes.
Cheers, Sebastian > On 17.07.2014, at 22:48, M <[email protected]> wrote: > > Shorewall firewall is based on iptables so it should work. > and this script gets its data from : > DLROOT="http://www.ipdeny.com/ipblocks/data/countries"; > > Dave M > >> On 7/17/2014 10:28 AM, Sebastian Grewe wrote: >> Hey Dave, >> >> That's one great script there. I will have to check for that ipdeny.com list >> - maybe I can also add it to shorewall somehow. >> >> Cheers, >> Sebastian >> >> On 16.07.2014, at 21:02, M <[email protected]> wrote: >> >>> Hi list, recently i had a request for a VM for one of our qmailers. >>> >>> Subsequently , after deployment, we found the VM to be compromised, so >>> hackers got in before I could secure the qmail VM. >>> >>> I rebuilt the VM, and added " My " firewall rules , and sent it off again. >>> No probs this time. >>> I was asked if they could share the firewall rules, No probs, but I looked >>> for a way to block by country. >>> >>> Here is what I found, and modified for our qmail needs ( rules etc ) >>> Thanks go to the original script writer, I merely modified it. >>> >>> Firewall script , so you can block specific countries, eg China ( ISO cn ) >>> working as of July 16th 2014 >>> >>> ***No offense meant to any countries listed here, for demo purposes only*** >>> >>> Do a ISO country code look up for your needs >>> >>> Tested on qmail-Centos5, and qmail-Centos6. >>> >>> Should work an other iptables type firewalls >>> >>> Install & Setup. >>> *** Backup your existing firewall script. *** >>> Centos5 qmail install ( cp /etc/rc.d/firewall.ruleset >>> /etc.rc.d/firewall.org ) >>> Centos6 qmail install ( cp /etc/sysconfig/iptables >>> /etc/sysconfig/iptables.org ) >>> >>> copy script to your server, make executable ( chmod +x country_block.sh ) >>> Edit file, and modify to your needs. >>> specific areas >>> ISO="af cn kr" >>> # Set your own ports you need , these are set for a standard qmail >>> install..remove 3306 if you dont do database sync`s >>> ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306 >>> #Set your subnet >>> ALLOWSUBNET=192.168.0.0/255.255.0.0 >>> >>> >>> Run script >>> ./country_block.sh >>> Wait until complete. >>> check it added the rules, iptables -L -n, you should see a whole bunch of >>> " countrydrop " lines >>> >>> Centos 5 Qmail installs >>> Save iptables to your /etc/rc.d/firewall.ruleset >>> /sbin/iptables-save > /etc/rc.d/firewall.ruleset >>> >>> Stop and start firewall >>> firewall down >>> firewall up >>> Check again iptables -L -n >>> >>> Centos 6 Qmail installs >>> Save iptables to your /etc/sysconfig/iptables >>> /sbin/iptables-save > /etc/sysconfig/iptables >>> >>> Some say this may cause slowness on the email server, I have not found that >>> to be the case. >>> Based on " My ruleset " ( thousands of entries ) I have been running the >>> rules for years. >>> >>> Dave M >>> <country_block.sh> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >
