Hi Eric,
That is exactly what I have done with it.
So yes, IMHO it is.
FYI Dan I am getting 4 emails in my inbox again.
best wishes
Tony White
On 18/07/2014 05:39, Eric Shubert wrote:
On 07/16/2014 12:02 PM, M wrote:
Hi list*, *recently**i had a request for a VM for one of our qmailers.
Subsequently , after deployment, we found the VM to be compromised, so
hackers got in before I could secure the qmail VM.
I rebuilt the VM, and added " My " firewall rules , and sent it off
again. No probs this time.
I was asked if they could share the firewall rules, No probs, but I
looked for a way to block by country.
Here is what I found, and modified for our qmail needs ( rules etc )
Thanks go to the original script writer, I merely modified it.
Firewall script , so you can block specific countries, eg China ( ISO cn
) working as of July 16th 2014
*
***No offense meant to any countries listed here, for demo purposes
only******
Do a ISO country code look up for your needs
*Tested on qmail-Centos5, and qmail-Centos6.*
Should work an other iptables type firewalls
*Install & Setup.*
***** Backup your existing firewall script. ***
Centos5 qmail install ( *cp /etc/rc.d/firewall.ruleset
/etc.rc.d/firewall.org***)
Centos6 qmail install ( *cp /etc/sysconfig/iptables
/etc/sysconfig/iptables.org* )
copy script to your server, make executable ( *chmod +x country_block.sh* )
*Edit file, and modify to your needs.*
specific areas
*ISO="af cn kr" *
# Set your own ports you need , these are set for a standard qmail
install..remove 3306 if you dont do database sync`s
*ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306
#Set your subnet
ALLOWSUBNET=192.168.0.0/255.255.0.0*
Run script
*./country_block.sh*
Wait until complete.
check it added the rules, *iptables -L -n*, you should see a whole bunch
of " countrydrop " lines
_*Centos 5 Qmail installs*_
Save iptables to your /etc/rc.d/firewall.ruleset
*/sbin/iptables-save > /etc/rc.d/firewall.ruleset*
Stop and start firewall
*firewall down**
**firewall up*
Check again *iptables -L -n*
_*Centos 6 Qmail installs*_
Save iptables to your /etc/sysconfig/iptables
*/sbin/iptables-save > /etc/sysconfig/iptables*
Some say this may cause slowness on the email server, I have not found
that to be the case.
Based on " My ruleset " ( thousands of entries ) I have been running
the rules for years.
Dave M
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Is this suitable to replace the firewall.sh script and become the 'stock' QMT
firewall?
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
