HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   HOWTO: Implement iptables blocking by Country (http://www.howtoforge.com/forums/showthread.php?t=49998)

drewb0y 12th November 2010 20:16

HOWTO: Implement iptables blocking by Country
 
This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server)

Credit goes to linus3x for pointing out the link that got me started
http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny

I basically followed all the directions there with a few additions for my environment.

First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format.

Edit apt sources
Code:

nano /etc/apt/sources.list
add the line
Code:

deb http://backports.debian.org/debian-backports lenny-backports main
Update the package lists
Code:

apt-get update
Install xz-utils
Code:

aptitude install xz-utils
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

Next I wanted to update to a later version of iptables and add some other associated tools.

Edit apt sources
Code:

nano /etc/apt/sources.list
add the line
Code:

deb http://ftp.de.debian.org/debian squeeze main
Update the package lists
Code:

apt-get update
Install iptables and addons
Code:

apt-get -t testing install iptables
apt-get -t testing install iptables-dev
apt-get -t testing install xtables-addons-common

After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

From the original instructions, install some other needed packages
Code:

aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
Next, create the necessary directories and download the needed GeoIPCountry files.
Code:

mkdir -p /var/geoip/LE /usr/src/GeoIP
wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz

Next, extract all the files for install.
Code:


cd /usr/src/GeoIP
tar xf csv2bin-20041103.tar.gz
tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
unzip GeoIPCountryCSV.zip
xz -d xtables-addons-1.31.tar.xz
tar xf xtables-addons-1.31.tar

Next, configure and make xtables-addons.
Code:

cd xtables-addons-1.31
./configure --with-xtlibdir=/lib/xtables
make
make install

Next, make csv2bin
Code:


cd /usr/src/GeoIP/csv2bin
make

Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file)
Code:

cd /var/geoip
/usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv

Next,, run the GeoIP perl script on that file.
Code:


cd /var/geoip/LE
perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv

Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip
Code:

cd /usr/share
ln -s /var/geoip/ xt_geoip

Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow.
In the example below, I am excluding Ukraine, one of my big offenders.

Code:

iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT

To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in
http://www.howtoforge.com/forums/showthread.php?t=28781
(Thanks to edge for pointing that one out to me)

If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people.
If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; >

In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete.

Code:

iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT
iptables -A INPUT -j GEOIP_REJECT

You can verify your blocks afterwards by using
Code:

IPTABLES -L
For a list of commands, you can type
Code:

iptables -m geoip --help
I used http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there.
I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible.
If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace.
I will see what the actual number reduction is after a couple of days.
Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at:
http://www.maxmind.com/app/geolitecountry

Here are the country codes.
Code:

  74 ranges for A1 Anonymous Proxy
 2054 ranges for A2 Satellite Provider
  14 ranges for AD Andorra
  297 ranges for AE United Arab Emirates
  156 ranges for AF Afghanistan
  117 ranges for AG Antigua and Barbuda
  16 ranges for AI Anguilla
  53 ranges for AL Albania
  71 ranges for AM Armenia
  72 ranges for AN Netherlands Antilles
  108 ranges for AO Angola
  289 ranges for AP Asia/Pacific Region
  24 ranges for AQ Antarctica
  678 ranges for AR Argentina
  33 ranges for AS American Samoa
 1649 ranges for AT Austria
 2620 ranges for AU Australia
  30 ranges for AW Aruba
  124 ranges for AX Aland Islands
  46 ranges for AZ Azerbaijan
  106 ranges for BA Bosnia and Herzegovina
  65 ranges for BB Barbados
  307 ranges for BD Bangladesh
 2740 ranges for BE Belgium
  22 ranges for BF Burkina Faso
  486 ranges for BG Bulgaria
  73 ranges for BH Bahrain
  14 ranges for BI Burundi
  32 ranges for BJ Benin
  72 ranges for BM Bermuda
  15 ranges for BN Brunei Darussalam
  73 ranges for BO Bolivia
  480 ranges for BR Brazil
  42 ranges for BS Bahamas
    6 ranges for BT Bhutan
  15 ranges for BV Bouvet Island
  26 ranges for BW Botswana
  76 ranges for BY Belarus
  89 ranges for BZ Belize
 7267 ranges for CA Canada
  104 ranges for CD Congo, The Democratic Republic of the
  10 ranges for CF Central African Republic
  24 ranges for CG Congo
 2473 ranges for CH Switzerland
  46 ranges for CI Cote D'Ivoire
    4 ranges for CK Cook Islands
  396 ranges for CL Chile
  61 ranges for CM Cameroon
  998 ranges for CN China
  480 ranges for CO Colombia
  138 ranges for CR Costa Rica
  16 ranges for CU Cuba
    6 ranges for CV Cape Verde
  381 ranges for CY Cyprus
  864 ranges for CZ Czech Republic
12102 ranges for DE Germany
    8 ranges for DJ Djibouti
 1120 ranges for DK Denmark
  19 ranges for DM Dominica
  81 ranges for DO Dominican Republic
  61 ranges for DZ Algeria
  198 ranges for EC Ecuador
  191 ranges for EE Estonia
  233 ranges for EG Egypt
  10 ranges for ER Eritrea
 2641 ranges for ES Spain
  12 ranges for ET Ethiopia
 3236 ranges for EU Europe
  935 ranges for FI Finland
  19 ranges for FJ Fiji
    4 ranges for FK Falkland Islands (Malvinas)
    6 ranges for FM Micronesia, Federated States of
    9 ranges for FO Faroe Islands
 6214 ranges for FR France
  41 ranges for GA Gabon
13028 ranges for GB United Kingdom
  28 ranges for GD Grenada
  100 ranges for GE Georgia
    2 ranges for GF French Guiana
  86 ranges for GG Guernsey
  144 ranges for GH Ghana
  53 ranges for GI Gibraltar
    3 ranges for GL Greenland
    8 ranges for GM Gambia
  37 ranges for GN Guinea
  18 ranges for GP Guadeloupe
  12 ranges for GQ Equatorial Guinea
  673 ranges for GR Greece
  91 ranges for GT Guatemala
  39 ranges for GU Guam
    5 ranges for GW Guinea-Bissau
  11 ranges for GY Guyana
 1084 ranges for HK Hong Kong
  94 ranges for HN Honduras
  148 ranges for HR Croatia
  29 ranges for HT Haiti
  531 ranges for HU Hungary
  706 ranges for ID Indonesia
 1039 ranges for IE Ireland
  700 ranges for IL Israel
  94 ranges for IM Isle of Man
 1472 ranges for IN India
    7 ranges for IO British Indian Ocean Territory
  526 ranges for IQ Iraq
  377 ranges for IR Iran, Islamic Republic of
  85 ranges for IS Iceland
 2957 ranges for IT Italy
  80 ranges for JE Jersey
  73 ranges for JM Jamaica
  91 ranges for JO Jordan
 1730 ranges for JP Japan
  151 ranges for KE Kenya
  38 ranges for KG Kyrgyzstan
  67 ranges for KH Cambodia
    2 ranges for KI Kiribati
    5 ranges for KM Comoros
  56 ranges for KN Saint Kitts and Nevis
    5 ranges for KP Korea, Democratic People's Republic of
  622 ranges for KR Korea, Republic of
  160 ranges for KW Kuwait
  30 ranges for KY Cayman Islands
  173 ranges for KZ Kazakhstan
  14 ranges for LA Lao People's Democratic Republic
  220 ranges for LB Lebanon
  22 ranges for LC Saint Lucia
  68 ranges for LI Liechtenstein
  63 ranges for LK Sri Lanka
  56 ranges for LR Liberia
  10 ranges for LS Lesotho
  369 ranges for LT Lithuania
  368 ranges for LU Luxembourg
  284 ranges for LV Latvia
  97 ranges for LY Libyan Arab Jamahiriya
  92 ranges for MA Morocco
  40 ranges for MC Monaco
  121 ranges for MD Moldova, Republic of
  46 ranges for ME Montenegro
    4 ranges for MF Saint Martin
  20 ranges for MG Madagascar
    6 ranges for MH Marshall Islands
  69 ranges for MK Macedonia
  14 ranges for ML Mali
    3 ranges for MM Myanmar
  51 ranges for MN Mongolia
  30 ranges for MO Macau
    5 ranges for MP Northern Mariana Islands
  16 ranges for MQ Martinique
  19 ranges for MR Mauritania
  11 ranges for MS Montserrat
  107 ranges for MT Malta
  46 ranges for MU Mauritius
  17 ranges for MV Maldives
  41 ranges for MW Malawi
  571 ranges for MX Mexico
  478 ranges for MY Malaysia
  45 ranges for MZ Mozambique
  232 ranges for NA Namibia
  27 ranges for NC New Caledonia
  32 ranges for NE Niger
    3 ranges for NF Norfolk Island
  926 ranges for NG Nigeria
  74 ranges for NI Nicaragua
 6252 ranges for NL Netherlands
 1063 ranges for NO Norway
  54 ranges for NP Nepal
    3 ranges for NR Nauru
    1 ranges for NU Niue
  620 ranges for NZ New Zealand
  18 ranges for OM Oman
  173 ranges for PA Panama
  129 ranges for PE Peru
    9 ranges for PF French Polynesia
  21 ranges for PG Papua New Guinea
  441 ranges for PH Philippines
  267 ranges for PK Pakistan
 2532 ranges for PL Poland
    4 ranges for PM Saint Pierre and Miquelon
  842 ranges for PR Puerto Rico
  42 ranges for PS Palestinian Territory, Occupied
  586 ranges for PT Portugal
    4 ranges for PW Palau
  43 ranges for PY Paraguay
  34 ranges for QA Qatar
    7 ranges for RE Reunion
  977 ranges for RO Romania
  259 ranges for RS Serbia
 4061 ranges for RU Russian Federation
  14 ranges for RW Rwanda
  381 ranges for SA Saudi Arabia
    3 ranges for SB Solomon Islands
  36 ranges for SC Seychelles
  46 ranges for SD Sudan
 2106 ranges for SE Sweden
  868 ranges for SG Singapore
  366 ranges for SI Slovenia
  391 ranges for SK Slovakia
  42 ranges for SL Sierra Leone
  14 ranges for SM San Marino
  22 ranges for SN Senegal
  30 ranges for SO Somalia
  19 ranges for SR Suriname
    4 ranges for ST Sao Tome and Principe
  89 ranges for SV El Salvador
  48 ranges for SY Syrian Arab Republic
  22 ranges for SZ Swaziland
  13 ranges for TC Turks and Caicos Islands
  20 ranges for TD Chad
  10 ranges for TG Togo
  362 ranges for TH Thailand
  27 ranges for TJ Tajikistan
  10 ranges for TK Tokelau
    3 ranges for TL Timor-Leste
    6 ranges for TM Turkmenistan
  18 ranges for TN Tunisia
    4 ranges for TO Tonga
  654 ranges for TR Turkey
  34 ranges for TT Trinidad and Tobago
    1 ranges for TV Tuvalu
  465 ranges for TW Taiwan
  131 ranges for TZ Tanzania, United Republic of
 2282 ranges for UA Ukraine
  53 ranges for UG Uganda
  11 ranges for UM United States Minor Outlying Islands
19724 ranges for US United States
  85 ranges for UY Uruguay
  48 ranges for UZ Uzbekistan
    6 ranges for VA Holy See (Vatican City State)
  21 ranges for VC Saint Vincent and the Grenadines
  236 ranges for VE Venezuela
  90 ranges for VG Virgin Islands, British
  134 ranges for VI Virgin Islands, U.S.
  151 ranges for VN Vietnam
    6 ranges for VU Vanuatu
    2 ranges for WF Wallis and Futuna
  24 ranges for WS Samoa
  19 ranges for YE Yemen
    3 ranges for YT Mayotte
  579 ranges for ZA South Africa
  85 ranges for ZM Zambia
  70 ranges for ZW Zimbabwe


drewb0y 12th November 2010 20:22

Things to still be worked out.
 
1. How to remove a country from blocking that was added using this method.
(I assume it's some variation of the command used to add a country)

DONE - added to original post above.
2. Instructions for updating the Country-IP Range file.
3. What files need to be protected, or will be broken if there is ever an ISPConfig or debian system update.

Any suggestions, tips or improvements, are welcomed.
Also please check the HOWTO: Spam control for POSTFIX

linus3x 13th November 2010 01:29

It looks great, drewb0y!

Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?

biggdog 13th November 2010 03:09

1 Attachment(s)
Thanks for the info.
I would like to know how to implement this into the exsisting iptables or through ispconfig3.

I did this and once I rebooted I do not see it after an iptables -L
"iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT"

I am not a complete nube but I am looking for some help if possible.

The file I have "country codes setup is taken from your little example. I left out 4 countries.
7267 ranges for CA Canada
12102 ranges for DE Germany
13028 ranges for GB United Kingdom
19724 ranges for US United States
Germany is because I talk to astaro
The UK is for some downloads I think.

If this helps anyone please feel free to use it.
Also should we add an "ACCEPT" for those we want.

drewb0y 13th November 2010 13:49

Quote:

Originally Posted by linus3x (Post 244276)
It looks great, drewb0y!

Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?

No conflicts that I have seen yet. And if I do an iptables -L it shows me a nice list of all the countries I am blocking, and the fail2ban blocks as well.

drewb0y 13th November 2010 14:16

Quote:

Originally Posted by biggdog (Post 244279)
Thanks for the info.
I would like to know how to implement this into the exsisting iptables or through ispconfig3.

I did this and once I rebooted I do not see it after an iptables -L
"iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT"

I am not a complete nube but I am looking for some help if possible.

The file I have "country codes setup is taken from your little example. I left out 4 countries.
7267 ranges for CA Canada
12102 ranges for DE Germany
13028 ranges for GB United Kingdom
19724 ranges for US United States
Germany is because I talk to astaro
The UK is for some downloads I think.

If this helps anyone please feel free to use it.
Also should we add an "ACCEPT" for those we want.

I did not actually use a file of the countries to enter them, they were just listed above as a reference. So I would enter each individually with a separate command.

iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
then
iptables -A INPUT -j GEOIP_REJECT
after all have been entered
the first line
iptables -N GEOIP_REJECT
I only entered once

I have not actually rebooted yet myself, and rarely do actually,
Code:

uptime
 06:10:11 up 21 days,  7:48,  1 user,  load average: 0.01, 0.05, 0.01

so I'm not sure if it will fall out. My question is did you check with an iptables -L before you rebooted? It may never have taken correctly in the first place. Here is an example of what your iptables -L ouput should look like if it's working.

Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
fail2ban-postfix  tcp  --  anywhere            anywhere            multiport dports smtp,ssmtp
fail2ban-postfix-spamers550  tcp  --  anywhere            anywhere            multiport dports smtp,ssmtp
fail2ban-ssh  tcp  --  anywhere            anywhere            multiport dports ssh
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           
GEOIP_REJECT  all  --  anywhere            anywhere           

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain GEOIP_REJECT (12 references)
target    prot opt source              destination       
REJECT    all  --  anywhere            anywhere            Source country: HN reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: MA reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: KP reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: KR reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: BY reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: NG reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: CM reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: KG reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: KZ reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: SG reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: BG reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: ZA reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: GD reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: PK reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: DO reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: CO reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: RS reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: CL reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: IQ reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: ID reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: AE reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: SA reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: BR reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: AR reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: PT reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: UA reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: VE reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: RU reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: RO reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: VN reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: TH reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: RW reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            Source country: CZ reject-with icmp-port-unreachable

Chain fail2ban-postfix (1 references)
target    prot opt source              destination       
DROP      all  --  117.200.250.116      anywhere           
DROP      all  --  217.29.122.151      anywhere           
DROP      all  --  193.251.223.82      anywhere           
DROP      all  --  117.195.68.191      anywhere           
DROP      all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere           
DROP      all  --  triband-del-59.178.55.168.bol.net.in  anywhere           
DROP      all  --  59.93.163.7          anywhere           
DROP      all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere           
DROP      all  --  221.207.145.66      anywhere           
DROP      all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere           
DROP      all  --  gw.pslpom.datec.net.pg  anywhere           
DROP      all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere           
DROP      all  --  124.106.81.18        anywhere           
DROP      all  --  124.93.248.250      anywhere           
DROP      all  --  117.201.75.26        anywhere           
DROP      all  --  triband-del-59.178.55.177.bol.net.in  anywhere           
DROP      all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere           
DROP      all  --  94-75-91-245.home.aster.pl  anywhere           
DROP      all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere           
DROP      all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere           
DROP      all  --  116.73.241.33        anywhere           
DROP      all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere           
DROP      all  --  221.218.19.95.dynamic.jazztel.es  anywhere           
DROP      all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere           
DROP      all  --  222.168.13.180      anywhere           
DROP      all  --  IGLD-80-230-5-86.inter.net.il  anywhere           
DROP      all  --  117.199.105.63      anywhere           
DROP      all  --  80.191.174.8        anywhere           
DROP      all  --  60.6.156.46          anywhere           
DROP      all  --  91.99.155.189.parsonline.net  anywhere           
DROP      all  --  196.2.11.86          anywhere           
DROP      all  --  120.56.149.193      anywhere           
DROP      all  --  c-98-250-181-247.hsd1.mi.comcast.net  anywhere           
DROP      all  --  42.73.148.190.dsl.intelnet.net.gt  anywhere           
DROP      all  --  adsl-ull-55-153.46-151.net24.it  anywhere           
DROP      all  --  186-40-183-76.bam.movistar.cl  anywhere           
DROP      all  --  user-46-113-14-85.play-internet.pl  anywhere           
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-postfix-spamers550 (1 references)
target    prot opt source              destination       
DROP      all  --  117.200.250.116      anywhere           
DROP      all  --  217.29.122.151      anywhere           
DROP      all  --  193.251.223.82      anywhere           
DROP      all  --  117.195.68.191      anywhere           
DROP      all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere           
DROP      all  --  triband-del-59.178.55.168.bol.net.in  anywhere           
DROP      all  --  59.93.163.7          anywhere           
DROP      all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere           
DROP      all  --  221.207.145.66      anywhere           
DROP      all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere           
DROP      all  --  gw.pslpom.datec.net.pg  anywhere           
DROP      all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere           
DROP      all  --  124.106.81.18        anywhere           
DROP      all  --  124.93.248.250      anywhere           
DROP      all  --  117.201.75.26        anywhere           
DROP      all  --  triband-del-59.178.55.177.bol.net.in  anywhere           
DROP      all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere           
DROP      all  --  94-75-91-245.home.aster.pl  anywhere           
DROP      all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere           
DROP      all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere           
DROP      all  --  116.73.241.33        anywhere           
DROP      all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere           
DROP      all  --  221.218.19.95.dynamic.jazztel.es  anywhere           
DROP      all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere           
DROP      all  --  222.168.13.180      anywhere           
DROP      all  --  IGLD-80-230-5-86.inter.net.il  anywhere           
DROP      all  --  117.199.105.63      anywhere           
DROP      all  --  80.191.174.8        anywhere           
DROP      all  --  60.6.156.46          anywhere           
DROP      all  --  91.99.155.189.parsonline.net  anywhere           
DROP      all  --  196.2.11.86          anywhere           
DROP      all  --  120.56.149.193      anywhere           
DROP      all  --  85-171-140-43.rev.numericable.fr  anywhere           
DROP      all  --  CPE-124-188-250-92.ezsb1.cht.bigpond.net.au  anywhere           
DROP      all  --  host86-138-180-66.range86-138.btcentralplus.com  anywhere           
DROP      all  --  41.199.43.124        anywhere           
DROP      all  --  20129147022.user.veloxzone.com.br  anywhere           
DROP      all  --  201-27-80-169.dsl.telesp.net.br  anywhere           
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-ssh (1 references)
target    prot opt source              destination       
DROP      all  --  218.1.114.75        anywhere           
RETURN    all  --  anywhere            anywhere

And yes fail2ban blocked someone from Shanghai trying to ssh into my box!

biggdog 15th November 2010 19:28

1 Attachment(s)
Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think.


How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent"

Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64.

Thanks.

All should Be good

drewb0y 16th November 2010 22:30

Quote:

Originally Posted by biggdog (Post 244441)
Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think.


How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent"

Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64.

Thanks.

All should Be good

Looks like it should work to me. That is a lot of countries to reject, but I guess I am rejecting a lot as well at 28 currently. Have you been able to verify that without doing the steps below the changes to iptables are not persistent on reboot?

Code:

iptables-save > /etc/GEOIP_REJECT
iptables-restore < /etc/GEOIP_REJECT

vi /etc/network/interfaces

And insert the following text in the blank line just below "iface lo inet loopback":
pre-up iptables-restore < /etc/GEOIP_REJECT


drewb0y 16th November 2010 22:46

Progress Update
 
Since implementing this as well as the fail2ban blocking, I have reduced the number of spam messages that postgrey has to deal with by about 100,000 messages a day.

on 11/6 my daily mail log statistics that are emailed to me said
Code:

149622 rejected (96%)
on 11/8 it went down to (I think that is after I did fail2ban)
Code:

23317 rejected (98%)
on 11/15 it is now at
Code:

4727 rejected (95%)
So the combination of fail2ban, postgrey and country blocking has made a huge difference in performance.

biggdog 17th November 2010 01:30

Yes upon reboot I had nothing but Fail2ban stuff and the original firewall stuff through ispconfig3 + 1 extra port.

As for Postgrey. I am currently using Astaro's postgrey. I have not implemented it into the webmail server yet.


All times are GMT +2. The time now is 11:10.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.