[CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database

Wed Jan 16 06:35:17 UTC 2019
Phil Perry <pperry at elrepo.org>

On 16/01/2019 02:04, Jobst Schmalenbach wrote:
> On Tue, Jan 15, 2019 at 07:43:02AM +0000, Phil Perry (pperry at elrepo.org) wrote:
>> On 15/01/2019 01:29, Jobst Schmalenbach wrote:
>>> On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote:
>>>> On 14/01/2019 07:09, Jobst Schmalenbach wrote:
>> Below is my script for creating/updating an ipset to block my top 10
>> Hope that helps
> 
> Thanks, it did, cleared up conflicting info I found on the Internet.
> 

Great.

> 
> I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ).
> There are even more conflicting ideas about how to do this, but I figured it out.
> 

How you handle that will depend on the default policy of the chain.

I would use 2 rules - the first to accept connections from AU,NZ, and a 
second rule subsequently DROPing all other connections, as this will 
work regardless of the default policy of the chain and the intention of 
the rules is clear to anyone reading them.

> 
> Also I cannot see a difference in speed between using (maxmind)
> 
>    -A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT
> 
> and (ipdeny)
> 
>    -A filter_countries -m set --set au.geoblock src -j ACCEPT
> 
> which is really good!
> 

Yes, ipset is really efficient. My top 10 bad countries set above 
contains over 28,000 individual netblocks and runs on my EdgeRouter 
Lite, with a 500MHz embedded processor. The device is capable of Gigabit 
throughput, and I see no impact upon throughput with multiple iptables 
rules, many based on large ipsets.

> 
> Jobst
> 
> 
>