Firewall "upgrade"?

Discussion in 'Tips/Tricks/Mods' started by Combikrist, Nov 20, 2010.

  1. Combikrist

    Combikrist New Member

    Hy there!

    I'm rinnung a virtual server at hosteurope.de
    First I used PLESK, but it is quite heavy to run for the vserver.
    So I tried ISPConfig.

    Ubuntu 8.04.1 fresh installed with ISPConfig3.
    It runs like a charm!

    Now, I want to block Asianet and some other countries with my firewall.
    On PLESK I used the integrated firewall-settings -have a look at the attachment-

    How can I accomplish this with ISPConfig?
    I tried to follow HOWTO: Implement iptables blocking by Country but I ran into some serious incompatibilities with Ubuntu 8.04 :eek:


    my regards
     

    Attached Files:

  2. drewb0y

    drewb0y Member

  3. Antennipasi

    Antennipasi ISPConfig Developer ISPConfig Developer

    Sure you do with that list. Where have you find list like that?

    Even firs 58.*-rule blocks networks from:
    Afghanistan
    Australia
    Bangladesh
    China
    Hong
    India
    Indonesia
    Japan
    Korea
    Malaysia
    New Zealand
    Pakistan
    Philippines
    Singapore
    Taiwan
    Thailand
    Vietnam

    I did not even bother to check out rest of them. They are _way_ too much.

    Currently Maxmind's GeoIP-database has 289 net-blocks from Asia. With your current firewall implementation you need 289 for Asia-rules to prevent blocking countries you (or your clients?) don't want to block.

    I suggest you try again with drewb0y's HOWTO.
     
  4. Combikrist

    Combikrist New Member

    I created it.

    I blocked the complete APNIC Range, and some of the AFRINIC ranges.

    [​IMG]



    You can find the ranges here:
    some
    AFRINIC
    APNIC
    some more


    Now I added the DROPs to my iptables with the following commandline commands:

    Code:
    iptables -I INPUT -s 58.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 59.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 60.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 61.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 121.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 122.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 123.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 124.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 125.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 126.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 202.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 203.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 210.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 211.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 218.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 219.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 220.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 222.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 200.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 201.0.0.0/255.0.0.0 -j DROP
    iptables -I INPUT -s 66.196.0.0/255.255.0.0 -j DROP
    iptables -I INPUT -s 206.141.193.0/255.255.255.0 -j DROP
    iptables -I INPUT -s 180.168.0.0/255.255.0.0 -j DROP
    

    :D
     
  5. Antennipasi

    Antennipasi ISPConfig Developer ISPConfig Developer

    Seems that you know how widely you are blocking countries, so i don't blame you more :)

    You are doing it right way. Currently used firewall implementation does not allow to insert custom rules.
     

Share This Page