search for: filter_countri

On 07/25/2017 07:54 AM, mj wrote: > Since we implemented country blocking, Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult. Instead, take a look at the fail2ban scenarios in this thread, which solve the actual problem with a precision tool, instead of a hammer. Doug

...om accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool) For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this: > $IPTABLES -N filter_countries > $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP > $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP and then: > $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries > $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries > $I...

...leared up conflicting info I found on the Internet. I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ). There are even more conflicting ideas about how to do this, but I figured it out. Also I cannot see a difference in speed between using (maxmind) -A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT and (ipdeny) -A filter_countries -m set --set au.geoblock src -j ACCEPT which is really good! Jobst -- The future isn't what it used to be (it never was). | |0| | Jobst Schmalenbach, General Manager | | |0| Barrett & Sales Essentials...

On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote: > On 14/01/2019 07:09, Jobst Schmalenbach wrote: > > Hi > I use ipdeny's aggregated country lists to do the same thing: > > http://www.ipdeny.com/ipblocks/data/aggregated/ > > I just feed this data directly into ipset/iptables via a script running on > my firewall (not a C6 box).