HOWTO: Implement iptables blocking by Country

Discussion in 'Tips/Tricks/Mods' started by drewb0y, Nov 12, 2010.

  1. drewb0y

    drewb0y New Member

    This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server)

    Credit goes to linus3x for pointing out the link that got me started
    http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny

    I basically followed all the directions there with a few additions for my environment.

    First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format.

    Edit apt sources
    Code:
    nano /etc/apt/sources.list
    add the line
    Code:
    deb http://backports.debian.org/debian-backports lenny-backports main
    Update the package lists
    Code:
    apt-get update
    Install xz-utils
    Code:
    aptitude install xz-utils
    After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

    Next I wanted to update to a later version of iptables and add some other associated tools.

    Edit apt sources
    Code:
    nano /etc/apt/sources.list
    add the line
    Code:
    deb http://ftp.de.debian.org/debian squeeze main
    Update the package lists
    Code:
    apt-get update
    Install iptables and addons
    Code:
    apt-get -t testing install iptables
    apt-get -t testing install iptables-dev
    apt-get -t testing install xtables-addons-common
    
    After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

    From the original instructions, install some other needed packages
    Code:
    aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
    Next, create the necessary directories and download the needed GeoIPCountry files.
    Code:
    mkdir -p /var/geoip/LE /usr/src/GeoIP
    wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
    wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
    wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
    wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz
    
    Next, extract all the files for install.
    Code:
     
    cd /usr/src/GeoIP
    tar xf csv2bin-20041103.tar.gz
    tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
    unzip GeoIPCountryCSV.zip
    xz -d xtables-addons-1.31.tar.xz
    tar xf xtables-addons-1.31.tar
    
    Next, configure and make xtables-addons.
    Code:
    cd xtables-addons-1.31
    ./configure --with-xtlibdir=/lib/xtables
    make
    make install
    
    Next, make csv2bin
    Code:
     
    cd /usr/src/GeoIP/csv2bin
    make
    
    Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file)
    Code:
    cd /var/geoip
    /usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv
    
    Next,, run the GeoIP perl script on that file.
    Code:
     
    cd /var/geoip/LE
    perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv
    
    Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip
    Code:
    cd /usr/share
    ln -s /var/geoip/ xt_geoip
    
    Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow.
    In the example below, I am excluding Ukraine, one of my big offenders.

    Code:
    iptables -N GEOIP_REJECT
    iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
    iptables -A INPUT -j GEOIP_REJECT
    
    To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in
    http://www.howtoforge.com/forums/showthread.php?t=28781
    (Thanks to edge for pointing that one out to me)

    If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people.
    If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; >

    In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete.

    Code:
    iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT
    iptables -A INPUT -j GEOIP_REJECT
    
    You can verify your blocks afterwards by using
    Code:
    IPTABLES -L
    
    For a list of commands, you can type
    Code:
    iptables -m geoip --help
    
    I used http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there.
    I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible.
    If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace.
    I will see what the actual number reduction is after a couple of days.
    Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at:
    http://www.maxmind.com/app/geolitecountry

    Here are the country codes.
    Code:
       74 ranges for A1 Anonymous Proxy
     2054 ranges for A2 Satellite Provider
       14 ranges for AD Andorra
      297 ranges for AE United Arab Emirates
      156 ranges for AF Afghanistan
      117 ranges for AG Antigua and Barbuda
       16 ranges for AI Anguilla
       53 ranges for AL Albania
       71 ranges for AM Armenia
       72 ranges for AN Netherlands Antilles
      108 ranges for AO Angola
      289 ranges for AP Asia/Pacific Region
       24 ranges for AQ Antarctica
      678 ranges for AR Argentina
       33 ranges for AS American Samoa
     1649 ranges for AT Austria
     2620 ranges for AU Australia
       30 ranges for AW Aruba
      124 ranges for AX Aland Islands
       46 ranges for AZ Azerbaijan
      106 ranges for BA Bosnia and Herzegovina
       65 ranges for BB Barbados
      307 ranges for BD Bangladesh
     2740 ranges for BE Belgium
       22 ranges for BF Burkina Faso
      486 ranges for BG Bulgaria
       73 ranges for BH Bahrain
       14 ranges for BI Burundi
       32 ranges for BJ Benin
       72 ranges for BM Bermuda
       15 ranges for BN Brunei Darussalam
       73 ranges for BO Bolivia
      480 ranges for BR Brazil
       42 ranges for BS Bahamas
        6 ranges for BT Bhutan
       15 ranges for BV Bouvet Island
       26 ranges for BW Botswana
       76 ranges for BY Belarus
       89 ranges for BZ Belize
     7267 ranges for CA Canada
      104 ranges for CD Congo, The Democratic Republic of the
       10 ranges for CF Central African Republic
       24 ranges for CG Congo
     2473 ranges for CH Switzerland
       46 ranges for CI Cote D'Ivoire
        4 ranges for CK Cook Islands
      396 ranges for CL Chile
       61 ranges for CM Cameroon
      998 ranges for CN China
      480 ranges for CO Colombia
      138 ranges for CR Costa Rica
       16 ranges for CU Cuba
        6 ranges for CV Cape Verde
      381 ranges for CY Cyprus
      864 ranges for CZ Czech Republic
    12102 ranges for DE Germany
        8 ranges for DJ Djibouti
     1120 ranges for DK Denmark
       19 ranges for DM Dominica
       81 ranges for DO Dominican Republic
       61 ranges for DZ Algeria
      198 ranges for EC Ecuador
      191 ranges for EE Estonia
      233 ranges for EG Egypt
       10 ranges for ER Eritrea
     2641 ranges for ES Spain
       12 ranges for ET Ethiopia
     3236 ranges for EU Europe
      935 ranges for FI Finland
       19 ranges for FJ Fiji
        4 ranges for FK Falkland Islands (Malvinas)
        6 ranges for FM Micronesia, Federated States of
        9 ranges for FO Faroe Islands
     6214 ranges for FR France
       41 ranges for GA Gabon
    13028 ranges for GB United Kingdom
       28 ranges for GD Grenada
      100 ranges for GE Georgia
        2 ranges for GF French Guiana
       86 ranges for GG Guernsey
      144 ranges for GH Ghana
       53 ranges for GI Gibraltar
        3 ranges for GL Greenland
        8 ranges for GM Gambia
       37 ranges for GN Guinea
       18 ranges for GP Guadeloupe
       12 ranges for GQ Equatorial Guinea
      673 ranges for GR Greece
       91 ranges for GT Guatemala
       39 ranges for GU Guam
        5 ranges for GW Guinea-Bissau
       11 ranges for GY Guyana
     1084 ranges for HK Hong Kong
       94 ranges for HN Honduras
      148 ranges for HR Croatia
       29 ranges for HT Haiti
      531 ranges for HU Hungary
      706 ranges for ID Indonesia
     1039 ranges for IE Ireland
      700 ranges for IL Israel
       94 ranges for IM Isle of Man
     1472 ranges for IN India
        7 ranges for IO British Indian Ocean Territory
      526 ranges for IQ Iraq
      377 ranges for IR Iran, Islamic Republic of
       85 ranges for IS Iceland
     2957 ranges for IT Italy
       80 ranges for JE Jersey
       73 ranges for JM Jamaica
       91 ranges for JO Jordan
     1730 ranges for JP Japan
      151 ranges for KE Kenya
       38 ranges for KG Kyrgyzstan
       67 ranges for KH Cambodia
        2 ranges for KI Kiribati
        5 ranges for KM Comoros
       56 ranges for KN Saint Kitts and Nevis
        5 ranges for KP Korea, Democratic People's Republic of
      622 ranges for KR Korea, Republic of
      160 ranges for KW Kuwait
       30 ranges for KY Cayman Islands
      173 ranges for KZ Kazakhstan
       14 ranges for LA Lao People's Democratic Republic
      220 ranges for LB Lebanon
       22 ranges for LC Saint Lucia
       68 ranges for LI Liechtenstein
       63 ranges for LK Sri Lanka
       56 ranges for LR Liberia
       10 ranges for LS Lesotho
      369 ranges for LT Lithuania
      368 ranges for LU Luxembourg
      284 ranges for LV Latvia
       97 ranges for LY Libyan Arab Jamahiriya
       92 ranges for MA Morocco
       40 ranges for MC Monaco
      121 ranges for MD Moldova, Republic of
       46 ranges for ME Montenegro
        4 ranges for MF Saint Martin
       20 ranges for MG Madagascar
        6 ranges for MH Marshall Islands
       69 ranges for MK Macedonia
       14 ranges for ML Mali
        3 ranges for MM Myanmar
       51 ranges for MN Mongolia
       30 ranges for MO Macau
        5 ranges for MP Northern Mariana Islands
       16 ranges for MQ Martinique
       19 ranges for MR Mauritania
       11 ranges for MS Montserrat
      107 ranges for MT Malta
       46 ranges for MU Mauritius
       17 ranges for MV Maldives
       41 ranges for MW Malawi
      571 ranges for MX Mexico
      478 ranges for MY Malaysia
       45 ranges for MZ Mozambique
      232 ranges for NA Namibia
       27 ranges for NC New Caledonia
       32 ranges for NE Niger
        3 ranges for NF Norfolk Island
      926 ranges for NG Nigeria
       74 ranges for NI Nicaragua
     6252 ranges for NL Netherlands
     1063 ranges for NO Norway
       54 ranges for NP Nepal
        3 ranges for NR Nauru
        1 ranges for NU Niue
      620 ranges for NZ New Zealand
       18 ranges for OM Oman
      173 ranges for PA Panama
      129 ranges for PE Peru
        9 ranges for PF French Polynesia
       21 ranges for PG Papua New Guinea
      441 ranges for PH Philippines
      267 ranges for PK Pakistan
     2532 ranges for PL Poland
        4 ranges for PM Saint Pierre and Miquelon
      842 ranges for PR Puerto Rico
       42 ranges for PS Palestinian Territory, Occupied
      586 ranges for PT Portugal
        4 ranges for PW Palau
       43 ranges for PY Paraguay
       34 ranges for QA Qatar
        7 ranges for RE Reunion
      977 ranges for RO Romania
      259 ranges for RS Serbia
     4061 ranges for RU Russian Federation
       14 ranges for RW Rwanda
      381 ranges for SA Saudi Arabia
        3 ranges for SB Solomon Islands
       36 ranges for SC Seychelles
       46 ranges for SD Sudan
     2106 ranges for SE Sweden
      868 ranges for SG Singapore
      366 ranges for SI Slovenia
      391 ranges for SK Slovakia
       42 ranges for SL Sierra Leone
       14 ranges for SM San Marino
       22 ranges for SN Senegal
       30 ranges for SO Somalia
       19 ranges for SR Suriname
        4 ranges for ST Sao Tome and Principe
       89 ranges for SV El Salvador
       48 ranges for SY Syrian Arab Republic
       22 ranges for SZ Swaziland
       13 ranges for TC Turks and Caicos Islands
       20 ranges for TD Chad
       10 ranges for TG Togo
      362 ranges for TH Thailand
       27 ranges for TJ Tajikistan
       10 ranges for TK Tokelau
        3 ranges for TL Timor-Leste
        6 ranges for TM Turkmenistan
       18 ranges for TN Tunisia
        4 ranges for TO Tonga
      654 ranges for TR Turkey
       34 ranges for TT Trinidad and Tobago
        1 ranges for TV Tuvalu
      465 ranges for TW Taiwan
      131 ranges for TZ Tanzania, United Republic of
     2282 ranges for UA Ukraine
       53 ranges for UG Uganda
       11 ranges for UM United States Minor Outlying Islands
    19724 ranges for US United States
       85 ranges for UY Uruguay
       48 ranges for UZ Uzbekistan
        6 ranges for VA Holy See (Vatican City State)
       21 ranges for VC Saint Vincent and the Grenadines
      236 ranges for VE Venezuela
       90 ranges for VG Virgin Islands, British
      134 ranges for VI Virgin Islands, U.S.
      151 ranges for VN Vietnam
        6 ranges for VU Vanuatu
        2 ranges for WF Wallis and Futuna
       24 ranges for WS Samoa
       19 ranges for YE Yemen
        3 ranges for YT Mayotte
      579 ranges for ZA South Africa
       85 ranges for ZM Zambia
       70 ranges for ZW Zimbabwe
    
     
    Last edited: Nov 13, 2010
  2. drewb0y

    drewb0y New Member

    Things to still be worked out.

    1. How to remove a country from blocking that was added using this method.
    (I assume it's some variation of the command used to add a country)

    DONE - added to original post above.
    2. Instructions for updating the Country-IP Range file.
    3. What files need to be protected, or will be broken if there is ever an ISPConfig or debian system update.

    Any suggestions, tips or improvements, are welcomed.
    Also please check the HOWTO: Spam control for POSTFIX
     
    Last edited: Nov 13, 2010
  3. linus3x

    linus3x New Member

    It looks great, drewb0y!

    Did you run into any conflicts between the ISPConfig 3 firewall and this Geo mod, specifically in the iptables?
     
  4. biggdog

    biggdog New Member

    Thanks for the info.
    I would like to know how to implement this into the exsisting iptables or through ispconfig3.

    I did this and once I rebooted I do not see it after an iptables -L
    "iptables -N GEOIP_REJECT
    iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
    iptables -A INPUT -j GEOIP_REJECT"

    I am not a complete nube but I am looking for some help if possible.

    The file I have "country codes setup is taken from your little example. I left out 4 countries.
    7267 ranges for CA Canada
    12102 ranges for DE Germany
    13028 ranges for GB United Kingdom
    19724 ranges for US United States
    Germany is because I talk to astaro
    The UK is for some downloads I think.

    If this helps anyone please feel free to use it.
    Also should we add an "ACCEPT" for those we want.
     

    Attached Files:

  5. drewb0y

    drewb0y New Member

    No conflicts that I have seen yet. And if I do an iptables -L it shows me a nice list of all the countries I am blocking, and the fail2ban blocks as well.
     
  6. drewb0y

    drewb0y New Member

    I did not actually use a file of the countries to enter them, they were just listed above as a reference. So I would enter each individually with a separate command.

    iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
    then
    iptables -A INPUT -j GEOIP_REJECT
    after all have been entered
    the first line
    iptables -N GEOIP_REJECT
    I only entered once

    I have not actually rebooted yet myself, and rarely do actually,
    Code:
    uptime
     06:10:11 up 21 days,  7:48,  1 user,  load average: 0.01, 0.05, 0.01
    
    so I'm not sure if it will fall out. My question is did you check with an iptables -L before you rebooted? It may never have taken correctly in the first place. Here is an example of what your iptables -L ouput should look like if it's working.

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
    fail2ban-postfix-spamers550  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
    fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    GEOIP_REJECT  all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain GEOIP_REJECT (12 references)
    target     prot opt source               destination         
    REJECT     all  --  anywhere             anywhere            Source country: HN reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: MA reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: KP reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: KR reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: BY reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: NG reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: CM reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: KG reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: KZ reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: SG reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: BG reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: ZA reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: GD reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: PK reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: DO reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: CO reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: RS reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: CL reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: IQ reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: ID reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: AE reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: SA reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: BR reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: AR reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: PT reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: UA reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: VE reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: RU reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: RO reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: VN reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: TH reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: RW reject-with icmp-port-unreachable 
    REJECT     all  --  anywhere             anywhere            Source country: CZ reject-with icmp-port-unreachable 
    
    Chain fail2ban-postfix (1 references)
    target     prot opt source               destination         
    DROP       all  --  117.200.250.116      anywhere            
    DROP       all  --  217.29.122.151       anywhere            
    DROP       all  --  193.251.223.82       anywhere            
    DROP       all  --  117.195.68.191       anywhere            
    DROP       all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere            
    DROP       all  --  triband-del-59.178.55.168.bol.net.in  anywhere            
    DROP       all  --  59.93.163.7          anywhere            
    DROP       all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere            
    DROP       all  --  221.207.145.66       anywhere            
    DROP       all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere            
    DROP       all  --  gw.pslpom.datec.net.pg  anywhere            
    DROP       all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere            
    DROP       all  --  124.106.81.18        anywhere            
    DROP       all  --  124.93.248.250       anywhere            
    DROP       all  --  117.201.75.26        anywhere            
    DROP       all  --  triband-del-59.178.55.177.bol.net.in  anywhere            
    DROP       all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere            
    DROP       all  --  94-75-91-245.home.aster.pl  anywhere            
    DROP       all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere            
    DROP       all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere            
    DROP       all  --  116.73.241.33        anywhere            
    DROP       all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere            
    DROP       all  --  221.218.19.95.dynamic.jazztel.es  anywhere            
    DROP       all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere            
    DROP       all  --  222.168.13.180       anywhere            
    DROP       all  --  IGLD-80-230-5-86.inter.net.il  anywhere            
    DROP       all  --  117.199.105.63       anywhere            
    DROP       all  --  80.191.174.8         anywhere            
    DROP       all  --  60.6.156.46          anywhere            
    DROP       all  --  91.99.155.189.parsonline.net  anywhere            
    DROP       all  --  196.2.11.86          anywhere            
    DROP       all  --  120.56.149.193       anywhere            
    DROP       all  --  c-98-250-181-247.hsd1.mi.comcast.net  anywhere            
    DROP       all  --  42.73.148.190.dsl.intelnet.net.gt  anywhere            
    DROP       all  --  adsl-ull-55-153.46-151.net24.it  anywhere            
    DROP       all  --  186-40-183-76.bam.movistar.cl  anywhere            
    DROP       all  --  user-46-113-14-85.play-internet.pl  anywhere            
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-postfix-spamers550 (1 references)
    target     prot opt source               destination         
    DROP       all  --  117.200.250.116      anywhere            
    DROP       all  --  217.29.122.151       anywhere            
    DROP       all  --  193.251.223.82       anywhere            
    DROP       all  --  117.195.68.191       anywhere            
    DROP       all  --  90.91.56.190.dsl.intelnet.net.gt  anywhere            
    DROP       all  --  triband-del-59.178.55.168.bol.net.in  anywhere            
    DROP       all  --  59.93.163.7          anywhere            
    DROP       all  --  93.Red-88-17-1.dynamicIP.rima-tde.net  anywhere            
    DROP       all  --  221.207.145.66       anywhere            
    DROP       all  --  ge-3-3-0-core-as12455.orange.co.ke  anywhere            
    DROP       all  --  gw.pslpom.datec.net.pg  anywhere            
    DROP       all  --  ABTS-North-Dynamic-219.143.163.122.airtelbroadband.in  anywhere            
    DROP       all  --  124.106.81.18        anywhere            
    DROP       all  --  124.93.248.250       anywhere            
    DROP       all  --  117.201.75.26        anywhere            
    DROP       all  --  triband-del-59.178.55.177.bol.net.in  anywhere            
    DROP       all  --  59.164.1.54.man-dynamic.vsnl.net.in  anywhere            
    DROP       all  --  94-75-91-245.home.aster.pl  anywhere            
    DROP       all  --  ABTS-North-Dynamic-130.124.161.122.airtelbroadband.in  anywhere            
    DROP       all  --  ABTS-MP-Dynamic-064.130.175.122.airtelbroadband.in  anywhere            
    DROP       all  --  116.73.241.33        anywhere            
    DROP       all  --  ABTS-TN-dynamic-203.190.178.122.airtelbroadband.in  anywhere            
    DROP       all  --  221.218.19.95.dynamic.jazztel.es  anywhere            
    DROP       all  --  ABTS-North-Dynamic-224.13.173.122.airtelbroadband.in  anywhere            
    DROP       all  --  222.168.13.180       anywhere            
    DROP       all  --  IGLD-80-230-5-86.inter.net.il  anywhere            
    DROP       all  --  117.199.105.63       anywhere            
    DROP       all  --  80.191.174.8         anywhere            
    DROP       all  --  60.6.156.46          anywhere            
    DROP       all  --  91.99.155.189.parsonline.net  anywhere            
    DROP       all  --  196.2.11.86          anywhere            
    DROP       all  --  120.56.149.193       anywhere            
    DROP       all  --  85-171-140-43.rev.numericable.fr  anywhere            
    DROP       all  --  CPE-124-188-250-92.ezsb1.cht.bigpond.net.au  anywhere            
    DROP       all  --  host86-138-180-66.range86-138.btcentralplus.com  anywhere            
    DROP       all  --  41.199.43.124        anywhere            
    DROP       all  --  20129147022.user.veloxzone.com.br  anywhere            
    DROP       all  --  201-27-80-169.dsl.telesp.net.br  anywhere            
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination         
    DROP       all  --  218.1.114.75         anywhere            
    RETURN     all  --  anywhere             anywhere            
    
    And yes fail2ban blocked someone from Shanghai trying to ssh into my box!
     
  7. biggdog

    biggdog New Member

    Yes I did do an iptables -L twice as I was not quite sure what I was looking at but your answer about only adding in the last line once gives me my answer. I think.


    How about this now. Please notice the begining and the end. I have also added a possible save directory for this string. I got this from another site I use the person goes by "mr88talent"

    Let me know if this could work while I am using ispconfig 3 debian lenny 5.06 amd64.

    Thanks.

    All should Be good
     

    Attached Files:

    Last edited: Nov 15, 2010
  8. drewb0y

    drewb0y New Member

    Looks like it should work to me. That is a lot of countries to reject, but I guess I am rejecting a lot as well at 28 currently. Have you been able to verify that without doing the steps below the changes to iptables are not persistent on reboot?

    Code:
    iptables-save > /etc/GEOIP_REJECT
    iptables-restore < /etc/GEOIP_REJECT
    
    vi /etc/network/interfaces
    
    And insert the following text in the blank line just below "iface lo inet loopback":
    pre-up iptables-restore < /etc/GEOIP_REJECT
     
  9. drewb0y

    drewb0y New Member

    Progress Update

    Since implementing this as well as the fail2ban blocking, I have reduced the number of spam messages that postgrey has to deal with by about 100,000 messages a day.

    on 11/6 my daily mail log statistics that are emailed to me said
    Code:
    149622 rejected (96%)
    on 11/8 it went down to (I think that is after I did fail2ban)
    Code:
    23317 rejected (98%)
    on 11/15 it is now at
    Code:
    4727 rejected (95%)
    So the combination of fail2ban, postgrey and country blocking has made a huge difference in performance.
     
  10. biggdog

    biggdog New Member

    Yes upon reboot I had nothing but Fail2ban stuff and the original firewall stuff through ispconfig3 + 1 extra port.

    As for Postgrey. I am currently using Astaro's postgrey. I have not implemented it into the webmail server yet.
     
  11. biggdog

    biggdog New Member

    I may have misread your last post. After saving the rules to /etc/... I can reboot and have everything saved. My concern is how can we accomplish this through ispconfig?
     
  12. ByteMe Networking

    ByteMe Networking New Member

    Works Like a Charm!

    Hey drewb0y,

    Thanks for the great stuff. Works like a Charm!

    Just one thing though. I went though my logs and found a few countries that were attempting to hack my server or root it so I blocked them.

    After the logs cleared up I noticed that ISPConfig 3.0.3 was acting funny. Navigation loading really slow.
    Latest news not working at all.
    Freshclam not updating.
    Things like that.

    Well after some investigation I found that ISPConfigs main site and Freshclam all come from Germany.

    I had to unblock Germany before ISPConfig would work as it should again.

    Just a heads up.

    Thanks for the great post,
    Casey
     
  13. fulltilt

    fulltilt New Member

    i'm trying to install but:
    Code:
    http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
    seems like site is offline ... is there any other download source?

    debian squeeze
     
  14. trident

    trident New Member


    I failed at this step, too.

    I did get nginx geo IP blocking set up, however.
     
  15. ByteMe Networking

    ByteMe Networking New Member

    The missing link extracts the following code to the geoip_csv_iv0.pl file.
    Just create the file above with this code and you should be able to complete this TT.

    Code:
    #!/usr/bin/perl
    #
    #       Converter for MaxMind CSV database to binary, for xt_geoip
    #       Copyright © CC Computer Consultants, 2008
    #
    #       Contact: Jan Engelhardt <jengelh@computergmbh.de>
    #
    #       Use -b argument to create big-endian tables.
    #
    use Getopt::Long;
    use IO::Handle;
    use Text::CSV_XS; # or trade for Text::CSV
    use strict;
    
    my %country;
    my %names;
    my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
    my $mode = "VV";
    
    &Getopt::Long::Configure(qw(bundling));
    &GetOptions("b" => sub { $mode = "NN"; });
    
    while (my $row = $csv->getline(*ARGV)) {
            if (!defined($country{$row->[4]})) {
                    $country{$row->[4]} = [];
                    $names{$row->[4]} = $row->[5];
            }
            my $c = $country{$row->[4]};
            push(@$c, [$row->[2], $row->[3]]);
            if ($. % 4096 == 0) {
                    print STDERR "\r\e[2K$. entries";
            }
    }
    
    print STDERR "\r\e[2K$. entries total\n";
    
    foreach my $iso_code (sort keys %country) {
            printf "%5u ranges for %s %s\n",
                    scalar(@{$country{$iso_code}}),
                    $iso_code, $names{$iso_code};
    
            open(my $fh, ">".uc($iso_code).".iv0");
            foreach my $range (@{$country{$iso_code}}) {
                    print $fh pack($mode, $range->[0], $range->[1]);
            }
            close $fh;
    }
    
    
    I could not find my original download of that file but this is all that was in it.

    Sorry for the late response.
    Hope it helps.
     
  16. Hoox

    Hoox New Member

    Thanks alot for this! I got this working using the hint from Casey.
    How would I go about blocking everything but one country on a single port? For instance, I want to block access to port 22(ssh) from all countries but Denmark?
     
  17. sethuper

    sethuper New Member

Share This Page