#1  
Old 20th November 2010, 10:46
Combikrist Combikrist is offline
Junior Member
 
Join Date: Nov 2010
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Firewall "upgrade"?

Hy there!

I'm rinnung a virtual server at hosteurope.de
First I used PLESK, but it is quite heavy to run for the vserver.
So I tried ISPConfig.

Ubuntu 8.04.1 fresh installed with ISPConfig3.
It runs like a charm!

Now, I want to block Asianet and some other countries with my firewall.
On PLESK I used the integrated firewall-settings -have a look at the attachment-

How can I accomplish this with ISPConfig?
I tried to follow HOWTO: Implement iptables blocking by Country but I ran into some serious incompatibilities with Ubuntu 8.04


my regards
Attached Images
 
Reply With Quote
Sponsored Links
  #2  
Old 21st November 2010, 08:32
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Default

Check out my post about blocking by countries.

HOWTO: Implement iptables blocking by Country

Hopefully that will help you out.
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS
Reply With Quote
  #3  
Old 21st November 2010, 09:43
Antennipasi Antennipasi is offline
ISPConfig Developer
 
Join Date: Dec 2008
Location: Finland
Posts: 67
Thanks: 6
Thanked 13 Times in 12 Posts
Default

Quote:
Originally Posted by Combikrist View Post
Now, I want to block Asianet and some other countries with my firewall.
Sure you do with that list. Where have you find list like that?

Even firs 58.*-rule blocks networks from:
Afghanistan
Australia
Bangladesh
China
Hong
India
Indonesia
Japan
Korea
Malaysia
New Zealand
Pakistan
Philippines
Singapore
Taiwan
Thailand
Vietnam

I did not even bother to check out rest of them. They are _way_ too much.

Currently Maxmind's GeoIP-database has 289 net-blocks from Asia. With your current firewall implementation you need 289 for Asia-rules to prevent blocking countries you (or your clients?) don't want to block.

I suggest you try again with drewb0y's HOWTO.
Reply With Quote
  #4  
Old 22nd November 2010, 10:10
Combikrist Combikrist is offline
Junior Member
 
Join Date: Nov 2010
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Antennipasi View Post
Sure you do with that list. Where have you find list like that?
I created it.

I blocked the complete APNIC Range, and some of the AFRINIC ranges.





You can find the ranges here:
some
AFRINIC
APNIC
some more


Now I added the DROPs to my iptables with the following commandline commands:

Code:
iptables -I INPUT -s 58.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 59.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 60.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 61.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 121.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 122.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 123.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 124.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 125.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 126.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 202.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 203.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 210.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 211.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 218.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 219.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 220.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 222.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 200.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 201.0.0.0/255.0.0.0 -j DROP
iptables -I INPUT -s 66.196.0.0/255.255.0.0 -j DROP
iptables -I INPUT -s 206.141.193.0/255.255.255.0 -j DROP
iptables -I INPUT -s 180.168.0.0/255.255.0.0 -j DROP

Reply With Quote
  #5  
Old 22nd November 2010, 12:50
Antennipasi Antennipasi is offline
ISPConfig Developer
 
Join Date: Dec 2008
Location: Finland
Posts: 67
Thanks: 6
Thanked 13 Times in 12 Posts
 
Default

Quote:
Originally Posted by Combikrist View Post
I created it.

I blocked the complete APNIC Range, and some of the AFRINIC ranges.

Seems that you know how widely you are blocking countries, so i don't blame you more

You are doing it right way. Currently used firewall implementation does not allow to insert custom rules.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 14:58
Running customised firewall script -RHEL 4 sud.tech Technical 0 12th June 2008 16:17
firewall scripts error in RHEL 4 sud.tech Technical 1 6th June 2008 12:22
ISP Services firewall page ustoopia Feature Requests 2 17th July 2007 19:39
I need a suitable firewall. agul Server Operation 4 23rd November 2005 01:12


All times are GMT +2. The time now is 08:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.