| View previous topic :: View next topic |
| Author |
Message |
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
 Posted: Wed Dec 24, 2003 8:17 pm Post subject: iptables, only allow a certain country to connect. |
 |
|
Hi,
Currenty I have an FTP service running which can be used by dutch friends to upload pictures, etc. (anything too large to send by mail) Is it possible with iptables or inetd to create a country-specific filter? more specifically, I want to drop all packets, except those originating from .nl domains.
even though I have a lot of faith in pure-ftpd, I don't really like the idea of advertising an ftp server.. 
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
 |
ikaro
Advocate
Joined: 14 Jul 2003
Posts: 2527
Location: Denmark
|
| Posted: Thu Dec 25, 2003 12:54 am Post subject: |
|
|
when you add the user, in the ip mask add *.nl
I think it might work.
have you tried to look in the pureftpd docs pages ?
_________________
linux: #232767 |
|
| Back to top |
|
|
funkmankey
Guru
Joined: 06 Mar 2003
Posts: 304
Location: CH
|
| Posted: Thu Dec 25, 2003 5:32 am Post subject: |
|
|
basically you'd want to periodically sync from the zonefile from here:
http://countries.nerd.dk/more.html
and then accept ftp traffic only from netblocks in that zonefile, e.g.
| Code: | #...
$IPTABLES -N nl_ftp
# assuming netblock is listed in column 2 of /etc/nl_zonefile
# I really have no idea how the zonefile is formatted so this
# is probably wrong....
for subnet in `cat /etc/nl_zonefile | awk '{print $2}'`;
do
$IPTABLES -A nl_ftp -s $subnet -j ACCEPT
done
$IPTABLES -N allow-nl-ftp-in
$IPTABLES -F allow-nl-ftp-in
$IPTABLES -A allow-nl-ftp-in -p tcp --dport ftp -j nl_ftp
$IPTABLES -A allow-nl-ftp-in -p tcp --dport ftp -j DROP
#...later...
$IPTABLES -A INPUT -j allow-nl-ftp-in
#...etc... |
EDIT: also, my above actual ftp rule is probably naive, I know that ftp is wacky what with port mode and pasv mode and there probably need to be better incoming and outgoing rules about ports for it... exercise left to reader. also, it looks like that zonefile has ALL countries in it, so you'd need to do some sort of preparsing to extract the NL bits... /EDIT
_________________
I've got the brain, I'm insane, you can't stop the power |
|
| Back to top |
|
|
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
| Posted: Thu Dec 25, 2003 5:02 pm Post subject: |
|
|
That iptables thing is exactly what I'm looking for  wonderfull.
This is most likely a newbie question, but how do I use rsync? I've tried to rsync with the server, but all I'm getting is a connection refused message. 
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
|
funkmankey
Guru
Joined: 06 Mar 2003
Posts: 304
Location: CH
|
| Posted: Thu Dec 25, 2003 7:47 pm Post subject: |
|
|
yeah, I was not able to sync against it either, same error message. you may have to contact them directly and ask for a copy of nl.countries.nerd.dk.rbldnsd, or see if they are willing to grant rsync access for you.
_________________
I've got the brain, I'm insane, you can't stop the power |
|
| Back to top |
|
|
|
Networking & Security
