Ubuntu and iptables?

Silver565 · 07-17-2009, 06:02 PM

Hi there

I have an ftp server (freenas) that i used to have up and running. However i have since shut it down because of an attack from korea(although they failed).

I wish to block all international traffic in some way... The only real solution i've come up with is iptables.(However any other easy solutions would be welcomed :-) )

(this article http://gofishingforum.net/software-a...rver-t606.html)

Is there an easy way to block all interntational traffic with iptables or some other way? as the only traffic i need coming in is from my own country (or even just my own city).

I have a spare computer that i can convert to ubuntu which can be located between the modem and the network

Cheers

win32sux · 07-17-2009, 06:08 PM

Quote:

Originally Posted by Silver565

Hi there

I have an ftp server (freenas) that i used to have up and running. However i have since shut it down because of an attack from korea(although they failed).

I wish to block all international traffic in some way... The only real solution i've come up with is iptables.(However any other easy solutions would be welcomed :-) )

(this article http://gofishingforum.net/software-a...rver-t606.html)

Is there an easy way to block all interntational traffic with iptables or some other way? as the only traffic i need coming in is from my own country (or even just my own city).

I have a spare computer that i can convert to ubuntu which can be located between the modem and the network

Cheers

Should be pretty easy to get an IP list such as this one and script your iptables commands off it. Just extract the IPs for your country and then send packets which don't match those IPs to DROP.

win32sux · 07-17-2009, 06:37 PM

For example, let's say you live in New Zealand. You could extract the IPs doing something like this:

Code:

zgrep "New Zealand" GeoIPCountryCSV.zip | awk -F"," {'print $1 $2'} | \
awk -F"\"" {'print $2 "-" $4'} > new_zealand_ips.txt

This gives you a text file with one IP range per line.

So to execute an iptables command for each range, you do something like this:

Code:

iptables -N CHECK_NEW_ZEALAND

for i in `cat /etc/new_zealand_ips.txt`; do
  iptables -A CHECK_NEW_ZEALAND -m iprange --src-range $i -j ACCEPT
done

iptables -A CHECK_NEW_ZEALAND -j DROP

This gives you a chain called CHECK_NEW_ZEALAND which will send to DROP any packet which doesn't match any of the ranges. You can send your packets into this chain from any other chain.

Silver565 · 07-17-2009, 11:09 PM

Ok thanks. I'm not familiar with those commands. But i'll have a look on the internet for iptables and how it works.
Thanks for the heads up