Well, maybe we cant:
“
YOU MAY NOT RE-DISTRIBUTE OUR IP ZONE FILES. HOWEVER, YOU CAN LINK TO
OUR IP COUNTRY ZONE FILES FOLDER ACCESSABLE AT
http://www.ipdeny.com/ipblocks/data/countries, BUT NOT TO THE
FILES DIRECTLY,*UNLESS YOU COMPLY WITH FAIR USAGE LIMITS POLICY*.
“
Also ,I found their zip file of all zones to be zero bytes.
Dave M
On 7/18/2014 12:59 PM, Me wrote:
I also downloaded their tar file, of all the countries IP`s,
Just wondering, maybe I will look at modifying the script, so it looks
on local drive for “ DLROOT”
instead of trolling their website, as I used to use this a long time
ago, and found many of the files inside the tar to be zero bytes.
Will let everyone know what I find.
Dave M
*From:* Sebastian Grewe <mailto:[email protected]>
*Sent:* Friday, July 18, 2014 12:43 AM
*To:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [qmailtoaster] Firewall
Yeah I saw that tar file they offer. I wanted to use it with chef and
just feed shorewall some include files. Will see how it goes.
Cheers,
Sebastian
On 17.07.2014, at 22:48, M <[email protected]
<mailto:[email protected]>> wrote:
Shorewall firewall is based on iptables so it should work.
and this script gets its data from :
DLROOT="*http://www.ipdeny.com/ipblocks/data/countries*";
Dave M
On 7/17/2014 10:28 AM, Sebastian Grewe wrote:
Hey Dave,
That's one great script there. I will have to check for that
ipdeny.com <http://ipdeny.com> list - maybe I can also add it to
shorewall somehow.
Cheers,
Sebastian
On 16.07.2014, at 21:02, M <[email protected]
<mailto:[email protected]>> wrote:
Hi list*, *recently**i had a request for a VM for one of our qmailers.
Subsequently , after deployment, we found the VM to be compromised,
so hackers got in before I could secure the qmail VM.
I rebuilt the VM, and added " My " firewall rules , and sent it off
again. No probs this time.
I was asked if they could share the firewall rules, No probs, but I
looked for a way to block by country.
Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.
Firewall script , so you can block specific countries, eg China (
ISO cn ) working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes
only******
Do a ISO country code look up for your needs
*Tested on qmail-Centos5, and qmail-Centos6.*
Should work an other iptables type firewalls
*Install & Setup.*
***** Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset
/etc.rc.d/firewall.org <http://firewall.org>***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables
/etc/sysconfig/iptables.org <http://iptables.org>* )
copy script to your server, make executable ( *chmod +x
country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*
Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole
bunch of " countrydrop " lines
_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*
Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*
_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*
Some say this may cause slowness on the email server, I have not
found that to be the case.
Based on " My ruleset " ( thousands of entries ) I have been
running the rules for years.
Dave M
<country_block.sh>
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]
<mailto:[email protected]>
For additional commands, e-mail:
[email protected]
<mailto:[email protected]>
