On 07/29/2017 07:44 PM, Doug Barton wrote:
On 07/25/2017 07:54 AM, mj wrote:
Since we implemented country blocking,

Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult.

Perhaps I need to be more specific:

I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords.

I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool)

For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this:

$IPTABLES -N filter_countries
$IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP
$IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP

and then:

$IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries
$IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries
$IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries

This makes it a lot more efficient, compared to the (many) rules I was using earlier.

MJ

Reply via email to