This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server) Credit goes to linus3x for pointing out the link that got me started http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny I basically followed all the directions there with a few additions for my environment. First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format. Edit apt sources Code: nano /etc/apt/sources.list add the line Code: deb http://backports.debian.org/debian-backports lenny-backports main Update the package lists Code: apt-get update Install xz-utils Code: aptitude install xz-utils After this step i went back and removed the previously added line in sources.list just toprevent any future issues. Next I wanted to update to a later version of iptables and add some other associated tools. Edit apt sources Code: nano /etc/apt/sources.list add the line Code: deb http://ftp.de.debian.org/debian squeeze main Update the package lists Code: apt-get update Install iptables and addons Code: apt-get -t testing install iptables apt-get -t testing install iptables-dev apt-get -t testing install xtables-addons-common After this step i went back and removed the previously added line in sources.list just toprevent any future issues. From the original instructions, install some other needed packages Code: aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev Next, create the necessary directories and download the needed GeoIPCountry files. Code: mkdir -p /var/geoip/LE /usr/src/GeoIP wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2 wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz Next, extract all the files for install. Code: cd /usr/src/GeoIP tar xf csv2bin-20041103.tar.gz tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl unzip GeoIPCountryCSV.zip xz -d xtables-addons-1.31.tar.xz tar xf xtables-addons-1.31.tar Next, configure and make xtables-addons. Code: cd xtables-addons-1.31 ./configure --with-xtlibdir=/lib/xtables make make install Next, make csv2bin Code: cd /usr/src/GeoIP/csv2bin make Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file) Code: cd /var/geoip /usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv Next,, run the GeoIP perl script on that file. Code: cd /var/geoip/LE perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip Code: cd /usr/share ln -s /var/geoip/ xt_geoip Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow. In the example below, I am excluding Ukraine, one of my big offenders. Code: iptables -N GEOIP_REJECT iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT iptables -A INPUT -j GEOIP_REJECT To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in http://www.howtoforge.com/forums/showthread.php?t=28781 (Thanks to edge for pointing that one out to me) If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people. If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; > In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete. Code: iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT iptables -A INPUT -j GEOIP_REJECT You can verify your blocks afterwards by using Code: IPTABLES -L For a list of commands, you can type Code: iptables -m geoip --help I used http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there. I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible. If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace. I will see what the actual number reduction is after a couple of days. Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at: http://www.maxmind.com/app/geolitecountry Here are the country codes. Code: 74 ranges for A1 Anonymous Proxy 2054 ranges for A2 Satellite Provider 14 ranges for AD Andorra 297 ranges for AE United Arab Emirates 156 ranges for AF Afghanistan 117 ranges for AG Antigua and Barbuda 16 ranges for AI Anguilla 53 ranges for AL Albania 71 ranges for AM Armenia 72 ranges for AN Netherlands Antilles 108 ranges for AO Angola 289 ranges for AP Asia/Pacific Region 24 ranges for AQ Antarctica 678 ranges for AR Argentina 33 ranges for AS American Samoa 1649 ranges for AT Austria 2620 ranges for AU Australia 30 ranges for AW Aruba 124 ranges for AX Aland Islands 46 ranges for AZ Azerbaijan 106 ranges for BA Bosnia and Herzegovina 65 ranges for BB Barbados 307 ranges for BD Bangladesh 2740 ranges for BE Belgium 22 ranges for BF Burkina Faso 486 ranges for BG Bulgaria 73 ranges for BH Bahrain 14 ranges for BI Burundi 32 ranges for BJ Benin 72 ranges for BM Bermuda 15 ranges for BN Brunei Darussalam 73 ranges for BO Bolivia 480 ranges for BR Brazil 42 ranges for BS Bahamas 6 ranges for BT Bhutan 15 ranges for BV Bouvet Island 26 ranges for BW Botswana 76 ranges for BY Belarus 89 ranges for BZ Belize 7267 ranges for CA Canada 104 ranges for CD Congo, The Democratic Republic of the 10 ranges for CF Central African Republic 24 ranges for CG Congo 2473 ranges for CH Switzerland 46 ranges for CI Cote D'Ivoire 4 ranges for CK Cook Islands 396 ranges for CL Chile 61 ranges for CM Cameroon 998 ranges for CN China 480 ranges for CO Colombia 138 ranges for CR Costa Rica 16 ranges for CU Cuba 6 ranges for CV Cape Verde 381 ranges for CY Cyprus 864 ranges for CZ Czech Republic 12102 ranges for DE Germany 8 ranges for DJ Djibouti 1120 ranges for DK Denmark 19 ranges for DM Dominica 81 ranges for DO Dominican Republic 61 ranges for DZ Algeria 198 ranges for EC Ecuador 191 ranges for EE Estonia 233 ranges for EG Egypt 10 ranges for ER Eritrea 2641 ranges for ES Spain 12 ranges for ET Ethiopia 3236 ranges for EU Europe 935 ranges for FI Finland 19 ranges for FJ Fiji 4 ranges for FK Falkland Islands (Malvinas) 6 ranges for FM Micronesia, Federated States of 9 ranges for FO Faroe Islands 6214 ranges for FR France 41 ranges for GA Gabon 13028 ranges for GB United Kingdom 28 ranges for GD Grenada 100 ranges for GE Georgia 2 ranges for GF French Guiana 86 ranges for GG Guernsey 144 ranges for GH Ghana 53 ranges for GI Gibraltar 3 ranges for GL Greenland 8 ranges for GM Gambia 37 ranges for GN Guinea 18 ranges for GP Guadeloupe 12 ranges for GQ Equatorial Guinea 673 ranges for GR Greece 91 ranges for GT Guatemala 39 ranges for GU Guam 5 ranges for GW Guinea-Bissau 11 ranges for GY Guyana 1084 ranges for HK Hong Kong 94 ranges for HN Honduras 148 ranges for HR Croatia 29 ranges for HT Haiti 531 ranges for HU Hungary 706 ranges for ID Indonesia 1039 ranges for IE Ireland 700 ranges for IL Israel 94 ranges for IM Isle of Man 1472 ranges for IN India 7 ranges for IO British Indian Ocean Territory 526 ranges for IQ Iraq 377 ranges for IR Iran, Islamic Republic of 85 ranges for IS Iceland 2957 ranges for IT Italy 80 ranges for JE Jersey 73 ranges for JM Jamaica 91 ranges for JO Jordan 1730 ranges for JP Japan 151 ranges for KE Kenya 38 ranges for KG Kyrgyzstan 67 ranges for KH Cambodia 2 ranges for KI Kiribati 5 ranges for KM Comoros 56 ranges for KN Saint Kitts and Nevis 5 ranges for KP Korea, Democratic People's Republic of 622 ranges for KR Korea, Republic of 160 ranges for KW Kuwait 30 ranges for KY Cayman Islands 173 ranges for KZ Kazakhstan 14 ranges for LA Lao People's Democratic Republic 220 ranges for LB Lebanon 22 ranges for LC Saint Lucia 68 ranges for LI Liechtenstein 63 ranges for LK Sri Lanka 56 ranges for LR Liberia 10 ranges for LS Lesotho 369 ranges for LT Lithuania 368 ranges for LU Luxembourg 284 ranges for LV Latvia 97 ranges for LY Libyan Arab Jamahiriya 92 ranges for MA Morocco 40 ranges for MC Monaco 121 ranges for MD Moldova, Republic of 46 ranges for ME Montenegro 4 ranges for MF Saint Martin 20 ranges for MG Madagascar 6 ranges for MH Marshall Islands 69 ranges for MK Macedonia 14 ranges for ML Mali 3 ranges for MM Myanmar 51 ranges for MN Mongolia 30 ranges for MO Macau 5 ranges for MP Northern Mariana Islands 16 ranges for MQ Martinique 19 ranges for MR Mauritania 11 ranges for MS Montserrat 107 ranges for MT Malta 46 ranges for MU Mauritius 17 ranges for MV Maldives 41 ranges for MW Malawi 571 ranges for MX Mexico 478 ranges for MY Malaysia 45 ranges for MZ Mozambique 232 ranges for NA Namibia 27 ranges for NC New Caledonia 32 ranges for NE Niger 3 ranges for NF Norfolk Island 926 ranges for NG Nigeria 74 ranges for NI Nicaragua 6252 ranges for NL Netherlands 1063 ranges for NO Norway 54 ranges for NP Nepal 3 ranges for NR Nauru 1 ranges for NU Niue 620 ranges for NZ New Zealand 18 ranges for OM Oman 173 ranges for PA Panama 129 ranges for PE Peru 9 ranges for PF French Polynesia 21 ranges for PG Papua New Guinea 441 ranges for PH Philippines 267 ranges for PK Pakistan 2532 ranges for PL Poland 4 ranges for PM Saint Pierre and Miquelon 842 ranges for PR Puerto Rico 42 ranges for PS Palestinian Territory, Occupied 586 ranges for PT Portugal 4 ranges for PW Palau 43 ranges for PY Paraguay 34 ranges for QA Qatar 7 ranges for RE Reunion 977 ranges for RO Romania 259 ranges for RS Serbia 4061 ranges for RU Russian Federation 14 ranges for RW Rwanda 381 ranges for SA Saudi Arabia 3 ranges for SB Solomon Islands 36 ranges for SC Seychelles 46 ranges for SD Sudan 2106 ranges for SE Sweden 868 ranges for SG Singapore 366 ranges for SI Slovenia 391 ranges for SK Slovakia 42 ranges for SL Sierra Leone 14 ranges for SM San Marino 22 ranges for SN Senegal 30 ranges for SO Somalia 19 ranges for SR Suriname 4 ranges for ST Sao Tome and Principe 89 ranges for SV El Salvador 48 ranges for SY Syrian Arab Republic 22 ranges for SZ Swaziland 13 ranges for TC Turks and Caicos Islands 20 ranges for TD Chad 10 ranges for TG Togo 362 ranges for TH Thailand 27 ranges for TJ Tajikistan 10 ranges for TK Tokelau 3 ranges for TL Timor-Leste 6 ranges for TM Turkmenistan 18 ranges for TN Tunisia 4 ranges for TO Tonga 654 ranges for TR Turkey 34 ranges for TT Trinidad and Tobago 1 ranges for TV Tuvalu 465 ranges for TW Taiwan 131 ranges for TZ Tanzania, United Republic of 2282 ranges for UA Ukraine 53 ranges for UG Uganda 11 ranges for UM United States Minor Outlying Islands 19724 ranges for US United States 85 ranges for UY Uruguay 48 ranges for UZ Uzbekistan 6 ranges for VA Holy See (Vatican City State) 21 ranges for VC Saint Vincent and the Grenadines 236 ranges for VE Venezuela 90 ranges for VG Virgin Islands, British 134 ranges for VI Virgin Islands, U.S. 151 ranges for VN Vietnam 6 ranges for VU Vanuatu 2 ranges for WF Wallis and Futuna 24 ranges for WS Samoa 19 ranges for YE Yemen 3 ranges for YT Mayotte 579 ranges for ZA South Africa 85 ranges for ZM Zambia 70 ranges for ZW Zimbabwe
Things to still be worked out. 1. How to remove a country from blocking that was added using this method. (I assume it's some variation of the command used to add a country) DONE - added to original post above. 2. Instructions for updating the Country-IP Range file. 3. What files need to be protected, or will be broken if there is ever an ISPConfig or debian system update. Any suggestions, tips or improvements, are welcomed. Also please check the HOWTO: Spam control for POSTFIX
It looks great, drewb0y! Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?
Thanks for the info. I would like to know how to implement this into the exsisting iptables or through ispconfig3. I did this and once I rebooted I do not see it after an iptables -L "iptables -N GEOIP_REJECT iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT iptables -A INPUT -j GEOIP_REJECT" I am not a complete nube but I am looking for some help if possible. The file I have "country codes setup is taken from your little example. I left out 4 countries. 7267 ranges for CA Canada 12102 ranges for DE Germany 13028 ranges for GB United Kingdom 19724 ranges for US United States Germany is because I talk to astaro The UK is for some downloads I think. If this helps anyone please feel free to use it. Also should we add an "ACCEPT" for those we want.
No conflicts that I have seen yet. And if I do an iptables -L it shows me a nice list of all the countries I am blocking, and the fail2ban blocks as well.
I did not actually use a file of the countries to enter them, they were just listed above as a reference. So I would enter each individually with a separate command. iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT then iptables -A INPUT -j GEOIP_REJECT after all have been entered the first line iptables -N GEOIP_REJECT I only entered once I have not actually rebooted yet myself, and rarely do actually, Code: uptime 06:10:11 up 21 days, 7:48, 1 user, load average: 0.01, 0.05, 0.01 so I'm not sure if it will fall out. My question is did you check with an iptables -L before you rebooted? It may never have taken correctly in the first place. Here is an example of what your iptables -L ouput should look like if it's working. Code: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp fail2ban-postfix-spamers550 tcp -- anywhere anywhere multiport dports smtp,ssmtp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere GEOIP_REJECT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain GEOIP_REJECT (12 references) target prot opt source destination REJECT all -- anywhere anywhere Source country: HN reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: MA reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: KP reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: KR reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: BY reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: NG reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: CM reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: KG reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: KZ reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: SG reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: BG reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: ZA reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: GD reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: PK reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: DO reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: CO reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: RS reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: CL reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: IQ reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: ID reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: AE reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: SA reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: BR reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: AR reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: PT reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: UA reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: VE reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: RU reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: RO reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: VN reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: TH reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: RW reject-with icmp-port-unreachable REJECT all -- anywhere anywhere Source country: CZ reject-with icmp-port-unreachable Chain fail2ban-postfix (1 references) target prot opt source destination DROP all -- 117.200.250.116 anywhere DROP all -- 217.29.122.151 anywhere DROP all -- 193.251.223.82 anywhere DROP all -- 117.195.68.191 anywhere DROP all -- 90.91.56.190.dsl.intelnet.net.gt anywhere DROP all -- triband-del-59.178.55.168.bol.net.in anywhere DROP all -- 59.93.163.7 anywhere DROP all -- 93.Red-88-17-1.dynamicIP.rima-tde.net anywhere DROP all -- 221.207.145.66 anywhere DROP all -- ge-3-3-0-core-as12455.orange.co.ke anywhere DROP all -- gw.pslpom.datec.net.pg anywhere DROP all -- ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in anywhere DROP all -- 124.106.81.18 anywhere DROP all -- 124.93.248.250 anywhere DROP all -- 117.201.75.26 anywhere DROP all -- triband-del-59.178.55.177.bol.net.in anywhere DROP all -- 59.164.1.54.man-dynamic.vsnl.net.in anywhere DROP all -- 94-75-91-245.home.aster.pl anywhere DROP all -- ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in anywhere DROP all -- ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in anywhere DROP all -- 116.73.241.33 anywhere DROP all -- ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in anywhere DROP all -- 221.218.19.95.dynamic.jazztel.es anywhere DROP all -- ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in anywhere DROP all -- 222.168.13.180 anywhere DROP all -- IGLD-80-230-5-86.inter.net.il anywhere DROP all -- 117.199.105.63 anywhere DROP all -- 80.191.174.8 anywhere DROP all -- 60.6.156.46 anywhere DROP all -- 91.99.155.189.parsonline.net anywhere DROP all -- 196.2.11.86 anywhere DROP all -- 120.56.149.193 anywhere DROP all -- c-98-250-181-247.hsd1.mi.comcast.net anywhere DROP all -- 42.73.148.190.dsl.intelnet.net.gt anywhere DROP all -- adsl-ull-55-153.46-151.net24.it anywhere DROP all -- 186-40-183-76.bam.movistar.cl anywhere DROP all -- user-46-113-14-85.play-internet.pl anywhere RETURN all -- anywhere anywhere Chain fail2ban-postfix-spamers550 (1 references) target prot opt source destination DROP all -- 117.200.250.116 anywhere DROP all -- 217.29.122.151 anywhere DROP all -- 193.251.223.82 anywhere DROP all -- 117.195.68.191 anywhere DROP all -- 90.91.56.190.dsl.intelnet.net.gt anywhere DROP all -- triband-del-59.178.55.168.bol.net.in anywhere DROP all -- 59.93.163.7 anywhere DROP all -- 93.Red-88-17-1.dynamicIP.rima-tde.net anywhere DROP all -- 221.207.145.66 anywhere DROP all -- ge-3-3-0-core-as12455.orange.co.ke anywhere DROP all -- gw.pslpom.datec.net.pg anywhere DROP all -- ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in anywhere DROP all -- 124.106.81.18 anywhere DROP all -- 124.93.248.250 anywhere DROP all -- 117.201.75.26 anywhere DROP all -- triband-del-59.178.55.177.bol.net.in anywhere DROP all -- 59.164.1.54.man-dynamic.vsnl.net.in anywhere DROP all -- 94-75-91-245.home.aster.pl anywhere DROP all -- ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in anywhere DROP all -- ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in anywhere DROP all -- 116.73.241.33 anywhere DROP all -- ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in anywhere DROP all -- 221.218.19.95.dynamic.jazztel.es anywhere DROP all -- ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in anywhere DROP all -- 222.168.13.180 anywhere DROP all -- IGLD-80-230-5-86.inter.net.il anywhere DROP all -- 117.199.105.63 anywhere DROP all -- 80.191.174.8 anywhere DROP all -- 60.6.156.46 anywhere DROP all -- 91.99.155.189.parsonline.net anywhere DROP all -- 196.2.11.86 anywhere DROP all -- 120.56.149.193 anywhere DROP all -- 85-171-140-43.rev.numericable.fr anywhere DROP all -- CPE-124-188-250-92.ezsb1.cht.bigpond.net.au anywhere DROP all -- host86-138-180-66.range86-138.btcentralplus.com anywhere DROP all -- 41.199.43.124 anywhere DROP all -- 20129147022.user.veloxzone.com.br anywhere DROP all -- 201-27-80-169.dsl.telesp.net.br anywhere RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 218.1.114.75 anywhere RETURN all -- anywhere anywhere And yes fail2ban blocked someone from Shanghai trying to ssh into my box!
Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think. How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent" Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64. Thanks. All should Be good
Looks like it should work to me. That is a lot of countries to reject, but I guess I am rejecting a lot as well at 28 currently. Have you been able to verify that without doing the steps below the changes to iptables are not persistent on reboot? Code: iptables-save > /etc/GEOIP_REJECT iptables-restore < /etc/GEOIP_REJECT vi /etc/network/interfaces And insert the following text in the blank line just below "iface lo inet loopback": pre-up iptables-restore < /etc/GEOIP_REJECT
Progress Update Since implementing this as well as the fail2ban blocking, I have reduced the number of spam messages that postgrey has to deal with by about 100,000 messages a day. on 11/6 my daily mail log statistics that are emailed to me said Code: 149622 rejected (96%) on 11/8 it went down to (I think that is after I did fail2ban) Code: 23317 rejected (98%) on 11/15 it is now at Code: 4727 rejected (95%) So the combination of fail2ban, postgrey and country blocking has made a huge difference in performance.
Yes upon reboot I had nothing but Fail2ban stuff and the original firewall stuff through ispconfig3 + 1 extra port. As for Postgrey. I am currently using Astaro's postgrey. I have not implemented it into the webmail server yet.
I may have misread your last post. After saving the rules to /etc/... I can reboot and have everything saved. My concern is how can we accomplish this through ispconfig?
Works Like a Charm! Hey drewb0y, Thanks for the great stuff. Works like a Charm! Just one thing though. I went though my logs and found a few countries that were attempting to hack my server or root it so I blocked them. After the logs cleared up I noticed that ISPConfig 3.0.3 was acting funny. Navigation loading really slow. Latest news not working at all. Freshclam not updating. Things like that. Well after some investigation I found that ISPConfigs main site and Freshclam all come from Germany. I had to unblock Germany before ISPConfig would work as it should again. Just a heads up. Thanks for the great post, Casey
i'm trying to install but: Code: http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2 seems like site is offline ... is there any other download source? debian squeeze
The missing link extracts the following code to the geoip_csv_iv0.pl file. Just create the file above with this code and you should be able to complete this TT. Code: #!/usr/bin/perl # # Converter for MaxMind CSV database to binary, for xt_geoip # Copyright © CC Computer Consultants, 2008 # # Contact: Jan Engelhardt <[email protected]> # # Use -b argument to create big-endian tables. # use Getopt::Long; use IO::Handle; use Text::CSV_XS; # or trade for Text::CSV use strict; my %country; my %names; my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV my $mode = "VV"; &Getopt::Long::Configure(qw(bundling)); &GetOptions("b" => sub { $mode = "NN"; }); while (my $row = $csv->getline(*ARGV)) { if (!defined($country{$row->[4]})) { $country{$row->[4]} = []; $names{$row->[4]} = $row->[5]; } my $c = $country{$row->[4]}; push(@$c, [$row->[2], $row->[3]]); if ($. % 4096 == 0) { print STDERR "\r\e[2K$. entries"; } } print STDERR "\r\e[2K$. entries total\n"; foreach my $iso_code (sort keys %country) { printf "%5u ranges for %s %s\n", scalar(@{$country{$iso_code}}), $iso_code, $names{$iso_code}; open(my $fh, ">".uc($iso_code).".iv0"); foreach my $range (@{$country{$iso_code}}) { print $fh pack($mode, $range->[0], $range->[1]); } close $fh; } I could not find my original download of that file but this is all that was in it. Sorry for the late response. Hope it helps.
Thanks alot for this! I got this working using the hint from Casey. How would I go about blocking everything but one country on a single port? For instance, I want to block access to port 22(ssh) from all countries but Denmark?
I have followed step by step in this tutorial, everything is describe, how to install and use iptables with geoip to block countries. http://terminal28.com/how-to-block-countries-using-iptables-debian/
