On 07/29/2017 07:44 PM, Doug Barton wrote:
On 07/25/2017 07:54 AM, mj wrote:
Since we implemented country blocking,
Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult.
Perhaps I need to be more specific:
I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords.
I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool)
For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this:
$IPTABLES -N filter_countries $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP
and then:
$IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries
This makes it a lot more efficient, compared to the (many) rules I was using earlier.
MJ