Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th November 2010, 19:16
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Lightbulb HOWTO: Implement iptables blocking by Country

This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server)

Credit goes to linus3x for pointing out the link that got me started
http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny

I basically followed all the directions there with a few additions for my environment.

First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format.

Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://backports.debian.org/debian-backports lenny-backports main
Update the package lists
Code:
apt-get update
Install xz-utils
Code:
aptitude install xz-utils
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

Next I wanted to update to a later version of iptables and add some other associated tools.

Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://ftp.de.debian.org/debian squeeze main
Update the package lists
Code:
apt-get update
Install iptables and addons
Code:
apt-get -t testing install iptables
apt-get -t testing install iptables-dev
apt-get -t testing install xtables-addons-common
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

From the original instructions, install some other needed packages
Code:
aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
Next, create the necessary directories and download the needed GeoIPCountry files.
Code:
mkdir -p /var/geoip/LE /usr/src/GeoIP
wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz
Next, extract all the files for install.
Code:
 
cd /usr/src/GeoIP
tar xf csv2bin-20041103.tar.gz
tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
unzip GeoIPCountryCSV.zip
xz -d xtables-addons-1.31.tar.xz
tar xf xtables-addons-1.31.tar
Next, configure and make xtables-addons.
Code:
cd xtables-addons-1.31
./configure --with-xtlibdir=/lib/xtables
make
make install
Next, make csv2bin
Code:
 
cd /usr/src/GeoIP/csv2bin
make
Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file)
Code:
cd /var/geoip
/usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv
Next,, run the GeoIP perl script on that file.
Code:
 
cd /var/geoip/LE
perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv
Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip
Code:
cd /usr/share
ln -s /var/geoip/ xt_geoip
Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow.
In the example below, I am excluding Ukraine, one of my big offenders.

Code:
iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT
To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in
http://www.howtoforge.com/forums/showthread.php?t=28781
(Thanks to edge for pointing that one out to me)

If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people.
If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; >

In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete.

Code:
iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT
iptables -A INPUT -j GEOIP_REJECT
You can verify your blocks afterwards by using
Code:
IPTABLES -L
For a list of commands, you can type
Code:
iptables -m geoip --help
I used http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there.
I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible.
If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace.
I will see what the actual number reduction is after a couple of days.
Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at:
http://www.maxmind.com/app/geolitecountry

Here are the country codes.
Code:
   74 ranges for A1 Anonymous Proxy
 2054 ranges for A2 Satellite Provider
   14 ranges for AD Andorra
  297 ranges for AE United Arab Emirates
  156 ranges for AF Afghanistan
  117 ranges for AG Antigua and Barbuda
   16 ranges for AI Anguilla
   53 ranges for AL Albania
   71 ranges for AM Armenia
   72 ranges for AN Netherlands Antilles
  108 ranges for AO Angola
  289 ranges for AP Asia/Pacific Region
   24 ranges for AQ Antarctica
  678 ranges for AR Argentina
   33 ranges for AS American Samoa
 1649 ranges for AT Austria
 2620 ranges for AU Australia
   30 ranges for AW Aruba
  124 ranges for AX Aland Islands
   46 ranges for AZ Azerbaijan
  106 ranges for BA Bosnia and Herzegovina
   65 ranges for BB Barbados
  307 ranges for BD Bangladesh
 2740 ranges for BE Belgium
   22 ranges for BF Burkina Faso
  486 ranges for BG Bulgaria
   73 ranges for BH Bahrain
   14 ranges for BI Burundi
   32 ranges for BJ Benin
   72 ranges for BM Bermuda
   15 ranges for BN Brunei Darussalam
   73 ranges for BO Bolivia
  480 ranges for BR Brazil
   42 ranges for BS Bahamas
    6 ranges for BT Bhutan
   15 ranges for BV Bouvet Island
   26 ranges for BW Botswana
   76 ranges for BY Belarus
   89 ranges for BZ Belize
 7267 ranges for CA Canada
  104 ranges for CD Congo, The Democratic Republic of the
   10 ranges for CF Central African Republic
   24 ranges for CG Congo
 2473 ranges for CH Switzerland
   46 ranges for CI Cote D'Ivoire
    4 ranges for CK Cook Islands
  396 ranges for CL Chile
   61 ranges for CM Cameroon
  998 ranges for CN China
  480 ranges for CO Colombia
  138 ranges for CR Costa Rica
   16 ranges for CU Cuba
    6 ranges for CV Cape Verde
  381 ranges for CY Cyprus
  864 ranges for CZ Czech Republic
12102 ranges for DE Germany
    8 ranges for DJ Djibouti
 1120 ranges for DK Denmark
   19 ranges for DM Dominica
   81 ranges for DO Dominican Republic
   61 ranges for DZ Algeria
  198 ranges for EC Ecuador
  191 ranges for EE Estonia
  233 ranges for EG Egypt
   10 ranges for ER Eritrea
 2641 ranges for ES Spain
   12 ranges for ET Ethiopia
 3236 ranges for EU Europe
  935 ranges for FI Finland
   19 ranges for FJ Fiji
    4 ranges for FK Falkland Islands (Malvinas)
    6 ranges for FM Micronesia, Federated States of
    9 ranges for FO Faroe Islands
 6214 ranges for FR France
   41 ranges for GA Gabon
13028 ranges for GB United Kingdom
   28 ranges for GD Grenada
  100 ranges for GE Georgia
    2 ranges for GF French Guiana
   86 ranges for GG Guernsey
  144 ranges for GH Ghana
   53 ranges for GI Gibraltar
    3 ranges for GL Greenland
    8 ranges for GM Gambia
   37 ranges for GN Guinea
   18 ranges for GP Guadeloupe
   12 ranges for GQ Equatorial Guinea
  673 ranges for GR Greece
   91 ranges for GT Guatemala
   39 ranges for GU Guam
    5 ranges for GW Guinea-Bissau
   11 ranges for GY Guyana
 1084 ranges for HK Hong Kong
   94 ranges for HN Honduras
  148 ranges for HR Croatia
   29 ranges for HT Haiti
  531 ranges for HU Hungary
  706 ranges for ID Indonesia
 1039 ranges for IE Ireland
  700 ranges for IL Israel
   94 ranges for IM Isle of Man
 1472 ranges for IN India
    7 ranges for IO British Indian Ocean Territory
  526 ranges for IQ Iraq
  377 ranges for IR Iran, Islamic Republic of
   85 ranges for IS Iceland
 2957 ranges for IT Italy
   80 ranges for JE Jersey
   73 ranges for JM Jamaica
   91 ranges for JO Jordan
 1730 ranges for JP Japan
  151 ranges for KE Kenya
   38 ranges for KG Kyrgyzstan
   67 ranges for KH Cambodia
    2 ranges for KI Kiribati
    5 ranges for KM Comoros
   56 ranges for KN Saint Kitts and Nevis
    5 ranges for KP Korea, Democratic People's Republic of
  622 ranges for KR Korea, Republic of
  160 ranges for KW Kuwait
   30 ranges for KY Cayman Islands
  173 ranges for KZ Kazakhstan
   14 ranges for LA Lao People's Democratic Republic
  220 ranges for LB Lebanon
   22 ranges for LC Saint Lucia
   68 ranges for LI Liechtenstein
   63 ranges for LK Sri Lanka
   56 ranges for LR Liberia
   10 ranges for LS Lesotho
  369 ranges for LT Lithuania
  368 ranges for LU Luxembourg
  284 ranges for LV Latvia
   97 ranges for LY Libyan Arab Jamahiriya
   92 ranges for MA Morocco
   40 ranges for MC Monaco
  121 ranges for MD Moldova, Republic of
   46 ranges for ME Montenegro
    4 ranges for MF Saint Martin
   20 ranges for MG Madagascar
    6 ranges for MH Marshall Islands
   69 ranges for MK Macedonia
   14 ranges for ML Mali
    3 ranges for MM Myanmar
   51 ranges for MN Mongolia
   30 ranges for MO Macau
    5 ranges for MP Northern Mariana Islands
   16 ranges for MQ Martinique
   19 ranges for MR Mauritania
   11 ranges for MS Montserrat
  107 ranges for MT Malta
   46 ranges for MU Mauritius
   17 ranges for MV Maldives
   41 ranges for MW Malawi
  571 ranges for MX Mexico
  478 ranges for MY Malaysia
   45 ranges for MZ Mozambique
  232 ranges for NA Namibia
   27 ranges for NC New Caledonia
   32 ranges for NE Niger
    3 ranges for NF Norfolk Island
  926 ranges for NG Nigeria
   74 ranges for NI Nicaragua
 6252 ranges for NL Netherlands
 1063 ranges for NO Norway
   54 ranges for NP Nepal
    3 ranges for NR Nauru
    1 ranges for NU Niue
  620 ranges for NZ New Zealand
   18 ranges for OM Oman
  173 ranges for PA Panama
  129 ranges for PE Peru
    9 ranges for PF French Polynesia
   21 ranges for PG Papua New Guinea
  441 ranges for PH Philippines
  267 ranges for PK Pakistan
 2532 ranges for PL Poland
    4 ranges for PM Saint Pierre and Miquelon
  842 ranges for PR Puerto Rico
   42 ranges for PS Palestinian Territory, Occupied
  586 ranges for PT Portugal
    4 ranges for PW Palau
   43 ranges for PY Paraguay
   34 ranges for QA Qatar
    7 ranges for RE Reunion
  977 ranges for RO Romania
  259 ranges for RS Serbia
 4061 ranges for RU Russian Federation
   14 ranges for RW Rwanda
  381 ranges for SA Saudi Arabia
    3 ranges for SB Solomon Islands
   36 ranges for SC Seychelles
   46 ranges for SD Sudan
 2106 ranges for SE Sweden
  868 ranges for SG Singapore
  366 ranges for SI Slovenia
  391 ranges for SK Slovakia
   42 ranges for SL Sierra Leone
   14 ranges for SM San Marino
   22 ranges for SN Senegal
   30 ranges for SO Somalia
   19 ranges for SR Suriname
    4 ranges for ST Sao Tome and Principe
   89 ranges for SV El Salvador
   48 ranges for SY Syrian Arab Republic
   22 ranges for SZ Swaziland
   13 ranges for TC Turks and Caicos Islands
   20 ranges for TD Chad
   10 ranges for TG Togo
  362 ranges for TH Thailand
   27 ranges for TJ Tajikistan
   10 ranges for TK Tokelau
    3 ranges for TL Timor-Leste
    6 ranges for TM Turkmenistan
   18 ranges for TN Tunisia
    4 ranges for TO Tonga
  654 ranges for TR Turkey
   34 ranges for TT Trinidad and Tobago
    1 ranges for TV Tuvalu
  465 ranges for TW Taiwan
  131 ranges for TZ Tanzania, United Republic of
 2282 ranges for UA Ukraine
   53 ranges for UG Uganda
   11 ranges for UM United States Minor Outlying Islands
19724 ranges for US United States
   85 ranges for UY Uruguay
   48 ranges for UZ Uzbekistan
    6 ranges for VA Holy See (Vatican City State)
   21 ranges for VC Saint Vincent and the Grenadines
  236 ranges for VE Venezuela
   90 ranges for VG Virgin Islands, British
  134 ranges for VI Virgin Islands, U.S.
  151 ranges for VN Vietnam
    6 ranges for VU Vanuatu
    2 ranges for WF Wallis and Futuna
   24 ranges for WS Samoa
   19 ranges for YE Yemen
    3 ranges for YT Mayotte
  579 ranges for ZA South Africa
   85 ranges for ZM Zambia
   70 ranges for ZW Zimbabwe
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS

Last edited by drewb0y; 13th November 2010 at 12:57. Reason: Additional information
Reply With Quote
The Following 4 Users Say Thank You to drewb0y For This Useful Post:
ByteMe Networking (7th December 2010), falko (13th November 2010), linus3x (13th November 2010), zbuzanic (7th March 2012)
Sponsored Links
  #2  
Old 12th November 2010, 19:22
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default Things to still be worked out.

1. How to remove a country from blocking that was added using this method.
(I assume it's some variation of the command used to add a country)

DONE - added to original post above.
2. Instructions for updating the Country-IP Range file.
3. What files need to be protected, or will be broken if there is ever an ISPConfig or debian system update.

Any suggestions, tips or improvements, are welcomed.
Also please check the HOWTO: Spam control for POSTFIX
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS

Last edited by drewb0y; 13th November 2010 at 12:59.
Reply With Quote
  #3  
Old 13th November 2010, 00:29
linus3x linus3x is offline
Junior Member
 
Join Date: Oct 2010
Posts: 16
Thanks: 2
Thanked 4 Times in 3 Posts
Default

It looks great, drewb0y!

Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?
Reply With Quote
  #4  
Old 13th November 2010, 02:09
biggdog biggdog is offline
Member
 
Join Date: Nov 2010
Posts: 61
Thanks: 3
Thanked 5 Times in 5 Posts
Default

Thanks for the info.
I would like to know how to implement this into the exsisting iptables or through ispconfig3.

I did this and once I rebooted I do not see it after an iptables -L
"iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT"

I am not a complete nube but I am looking for some help if possible.

The file I have "country codes setup is taken from your little example. I left out 4 countries.
7267 ranges for CA Canada
12102 ranges for DE Germany
13028 ranges for GB United Kingdom
19724 ranges for US United States
Germany is because I talk to astaro
The UK is for some downloads I think.

If this helps anyone please feel free to use it.
Also should we add an "ACCEPT" for those we want.
Attached Files
File Type: txt Country Codes setup.txt (27.3 KB, 323 views)
Reply With Quote
  #5  
Old 13th November 2010, 12:49
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default

Quote:
Originally Posted by linus3x View Post
It looks great, drewb0y!

Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?
No conflicts that I have seen yet. And if I do an iptables -L it shows me a nice list of all the countries I am blocking, and the fail2ban blocks as well.
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS
Reply With Quote
  #6  
Old 13th November 2010, 13:16
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default

Quote:
Originally Posted by biggdog View Post
Thanks for the info.
I would like to know how to implement this into the exsisting iptables or through ispconfig3.

I did this and once I rebooted I do not see it after an iptables -L
"iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT"

I am not a complete nube but I am looking for some help if possible.

The file I have "country codes setup is taken from your little example. I left out 4 countries.
7267 ranges for CA Canada
12102 ranges for DE Germany
13028 ranges for GB United Kingdom
19724 ranges for US United States
Germany is because I talk to astaro
The UK is for some downloads I think.

If this helps anyone please feel free to use it.
Also should we add an "ACCEPT" for those we want.
I did not actually use a file of the countries to enter them, they were just listed above as a reference. So I would enter each individually with a separate command.

iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
then
iptables -A INPUT -j GEOIP_REJECT
after all have been entered
the first line
iptables -N GEOIP_REJECT
I only entered once

I have not actually rebooted yet myself, and rarely do actually,
Code:
uptime
 06:10:11 up 21 days,  7:48,  1 user,  load average: 0.01, 0.05, 0.01
so I'm not sure if it will fall out. My question is did you check with an iptables -L before you rebooted? It may never have taken correctly in the first place. Here is an example of what your iptables -L ouput should look like if it's working.

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-postfix-spamers550  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            
GEOIP_REJECT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain GEOIP_REJECT (12 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            Source country: HN reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: MA reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: KP reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: KR reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: BY reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: NG reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: CM reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: KG reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: KZ reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: SG reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: BG reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: ZA reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: GD reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: PK reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: DO reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: CO reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: RS reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: CL reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: IQ reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: ID reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: AE reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: SA reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: BR reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: AR reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: PT reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: UA reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: VE reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: RU reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: RO reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: VN reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: TH reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: RW reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            Source country: CZ reject-with icmp-port-unreachable 

Chain fail2ban-postfix (1 references)
target     prot opt source               destination         
DROP       all  --  117.200.250.116      anywhere            
DROP       all  --  217.29.122.151       anywhere            
DROP       all  --  193.251.223.82       anywhere            
DROP       all  --  117.195.68.191       anywhere            
DROP       all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere            
DROP       all  --  triband-del-59.178.55.168.bol.net.in  anywhere            
DROP       all  --  59.93.163.7          anywhere            
DROP       all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere            
DROP       all  --  221.207.145.66       anywhere            
DROP       all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere            
DROP       all  --  gw.pslpom.datec.net.pg  anywhere            
DROP       all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere            
DROP       all  --  124.106.81.18        anywhere            
DROP       all  --  124.93.248.250       anywhere            
DROP       all  --  117.201.75.26        anywhere            
DROP       all  --  triband-del-59.178.55.177.bol.net.in  anywhere            
DROP       all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere            
DROP       all  --  94-75-91-245.home.aster.pl  anywhere            
DROP       all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere            
DROP       all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere            
DROP       all  --  116.73.241.33        anywhere            
DROP       all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere            
DROP       all  --  221.218.19.95.dynamic.jazztel.es  anywhere            
DROP       all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere            
DROP       all  --  222.168.13.180       anywhere            
DROP       all  --  IGLD-80-230-5-86.inter.net.il  anywhere            
DROP       all  --  117.199.105.63       anywhere            
DROP       all  --  80.191.174.8         anywhere            
DROP       all  --  60.6.156.46          anywhere            
DROP       all  --  91.99.155.189.parsonline.net  anywhere            
DROP       all  --  196.2.11.86          anywhere            
DROP       all  --  120.56.149.193       anywhere            
DROP       all  --  c-98-250-181-247.hsd1.mi.comcast.net  anywhere            
DROP       all  --  42.73.148.190.dsl.intelnet.net.gt  anywhere            
DROP       all  --  adsl-ull-55-153.46-151.net24.it  anywhere            
DROP       all  --  186-40-183-76.bam.movistar.cl  anywhere            
DROP       all  --  user-46-113-14-85.play-internet.pl  anywhere            
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-postfix-spamers550 (1 references)
target     prot opt source               destination         
DROP       all  --  117.200.250.116      anywhere            
DROP       all  --  217.29.122.151       anywhere            
DROP       all  --  193.251.223.82       anywhere            
DROP       all  --  117.195.68.191       anywhere            
DROP       all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere            
DROP       all  --  triband-del-59.178.55.168.bol.net.in  anywhere            
DROP       all  --  59.93.163.7          anywhere            
DROP       all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere            
DROP       all  --  221.207.145.66       anywhere            
DROP       all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere            
DROP       all  --  gw.pslpom.datec.net.pg  anywhere            
DROP       all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere            
DROP       all  --  124.106.81.18        anywhere            
DROP       all  --  124.93.248.250       anywhere            
DROP       all  --  117.201.75.26        anywhere            
DROP       all  --  triband-del-59.178.55.177.bol.net.in  anywhere            
DROP       all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere            
DROP       all  --  94-75-91-245.home.aster.pl  anywhere            
DROP       all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere            
DROP       all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere            
DROP       all  --  116.73.241.33        anywhere            
DROP       all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere            
DROP       all  --  221.218.19.95.dynamic.jazztel.es  anywhere            
DROP       all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere            
DROP       all  --  222.168.13.180       anywhere            
DROP       all  --  IGLD-80-230-5-86.inter.net.il  anywhere            
DROP       all  --  117.199.105.63       anywhere            
DROP       all  --  80.191.174.8         anywhere            
DROP       all  --  60.6.156.46          anywhere            
DROP       all  --  91.99.155.189.parsonline.net  anywhere            
DROP       all  --  196.2.11.86          anywhere            
DROP       all  --  120.56.149.193       anywhere            
DROP       all  --  85-171-140-43.rev.numericable.fr  anywhere            
DROP       all  --  CPE-124-188-250-92.ezsb1.cht.bigpond.net.au  anywhere            
DROP       all  --  host86-138-180-66.range86-138.btcentralplus.com  anywhere            
DROP       all  --  41.199.43.124        anywhere            
DROP       all  --  20129147022.user.veloxzone.com.br  anywhere            
DROP       all  --  201-27-80-169.dsl.telesp.net.br  anywhere            
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
DROP       all  --  218.1.114.75         anywhere            
RETURN     all  --  anywhere             anywhere
And yes fail2ban blocked someone from Shanghai trying to ssh into my box!
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS
Reply With Quote
  #7  
Old 15th November 2010, 18:28
biggdog biggdog is offline
Member
 
Join Date: Nov 2010
Posts: 61
Thanks: 3
Thanked 5 Times in 5 Posts
Default

Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think.


How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent"

Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64.

Thanks.

All should Be good
Attached Files
File Type: txt Country Codes setup.txt (21.3 KB, 266 views)

Last edited by biggdog; 15th November 2010 at 20:03. Reason: The file is incorrect
Reply With Quote
  #8  
Old 16th November 2010, 21:30
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default

Quote:
Originally Posted by biggdog View Post
Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think.


How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent"

Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64.

Thanks.

All should Be good
Looks like it should work to me. That is a lot of countries to reject, but I guess I am rejecting a lot as well at 28 currently. Have you been able to verify that without doing the steps below the changes to iptables are not persistent on reboot?

Code:
iptables-save > /etc/GEOIP_REJECT
iptables-restore < /etc/GEOIP_REJECT

vi /etc/network/interfaces

And insert the following text in the blank line just below "iface lo inet loopback":
pre-up iptables-restore < /etc/GEOIP_REJECT
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS
Reply With Quote
  #9  
Old 16th November 2010, 21:46
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default Progress Update

Since implementing this as well as the fail2ban blocking, I have reduced the number of spam messages that postgrey has to deal with by about 100,000 messages a day.

on 11/6 my daily mail log statistics that are emailed to me said
Code:
149622 rejected (96%)
on 11/8 it went down to (I think that is after I did fail2ban)
Code:
23317 rejected (98%)
on 11/15 it is now at
Code:
4727 rejected (95%)
So the combination of fail2ban, postgrey and country blocking has made a huge difference in performance.
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS
Reply With Quote
  #10  
Old 17th November 2010, 00:30
biggdog biggdog is offline
Member
 
Join Date: Nov 2010
Posts: 61
Thanks: 3
Thanked 5 Times in 5 Posts
 
Default

Yes upon reboot I had nothing but Fail2ban stuff and the original firewall stuff through ispconfig3 + 1 extra port.

As for Postgrey. I am currently using Astaro's postgrey. I have not implemented it into the webmail server yet.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking Based on Country with GeoIP, xtables-addons, and iptables linus3x Installation/Configuration 2 4th October 2013 23:56
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42


All times are GMT +2. The time now is 15:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.