I also downloaded their tar file, of all the countries IP`s, Just wondering, maybe I will look at modifying the script, so it looks on local drive for “ DLROOT” instead of trolling their website, as I used to use this a long time ago, and found many of the files inside the tar to be zero bytes.
Will let everyone know what I find. Dave M From: Sebastian Grewe Sent: Friday, July 18, 2014 12:43 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Firewall Yeah I saw that tar file they offer. I wanted to use it with chef and just feed shorewall some include files. Will see how it goes. Cheers, Sebastian On 17.07.2014, at 22:48, M <sysad...@tricubemedia.com> wrote: Shorewall firewall is based on iptables so it should work. and this script gets its data from : DLROOT="http://www.ipdeny.com/ipblocks/data/countries"; Dave M On 7/17/2014 10:28 AM, Sebastian Grewe wrote: Hey Dave, That's one great script there. I will have to check for that ipdeny.com list - maybe I can also add it to shorewall somehow. Cheers, Sebastian On 16.07.2014, at 21:02, M <sysad...@tricubemedia.com> wrote: Hi list, recently i had a request for a VM for one of our qmailers. Subsequently , after deployment, we found the VM to be compromised, so hackers got in before I could secure the qmail VM. I rebuilt the VM, and added " My " firewall rules , and sent it off again. No probs this time. I was asked if they could share the firewall rules, No probs, but I looked for a way to block by country. Here is what I found, and modified for our qmail needs ( rules etc ) Thanks go to the original script writer, I merely modified it. Firewall script , so you can block specific countries, eg China ( ISO cn ) working as of July 16th 2014 ***No offense meant to any countries listed here, for demo purposes only*** Do a ISO country code look up for your needs Tested on qmail-Centos5, and qmail-Centos6. Should work an other iptables type firewalls Install & Setup. *** Backup your existing firewall script. *** Centos5 qmail install ( cp /etc/rc.d/firewall.ruleset /etc.rc.d/firewall.org ) Centos6 qmail install ( cp /etc/sysconfig/iptables /etc/sysconfig/iptables.org ) copy script to your server, make executable ( chmod +x country_block.sh ) Edit file, and modify to your needs. specific areas ISO="af cn kr" # Set your own ports you need , these are set for a standard qmail install..remove 3306 if you dont do database sync`s ALLOWPORTS=22,25,80,110,143,443,465,587,993,995,3306 #Set your subnet ALLOWSUBNET=192.168.0.0/255.255.0.0 Run script ./country_block.sh Wait until complete. check it added the rules, iptables -L -n, you should see a whole bunch of " countrydrop " lines Centos 5 Qmail installs Save iptables to your /etc/rc.d/firewall.ruleset /sbin/iptables-save > /etc/rc.d/firewall.ruleset Stop and start firewall firewall down firewall up Check again iptables -L -n Centos 6 Qmail installs Save iptables to your /etc/sysconfig/iptables /sbin/iptables-save > /etc/sysconfig/iptables Some say this may cause slowness on the email server, I have not found that to be the case. Based on " My ruleset " ( thousands of entries ) I have been running the rules for years. Dave M <country_block.sh> --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
