Gentoo IPTables Xtables-addons Block countries
WHY
Because there are kinda' tons of infected japan and pakistan computers which try to send spam to me ( or use me as a relay ). My postfix is set up to block relay but that still has to check against dnsbl lists for each ip.
HOW
Use geoip with iptables !
I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.
Step 1. Get the latest patch-o-matic from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack
Step 2. Find out what iptables version you have
emerge iptables -vpStep 3. Get the source for your version, unpack and compile ( replace 1.4.3.2 with your version you got from above )
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild unpack
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild compileStep 4. Go to your unpacked patch-o-matic dir and do
./runme --download
IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.3.2/work/iptables-1.4.3.2 KERNEL_DIR=/usr/src/linux ./runme geoipStep 5. Go to /usr/src/linux and enable geoip as module and recompile ( I do make uImage because I'm using gentoo on an ARM arch here .. you don't need that stuff .. )
cd /usr/src/linux
make menuconfig
# Symbol: NETFILTER_XT_MATCH_GEOIP[=m]
# Prompt: "geoip" match support
# -> Networking support (NET [=y])
# -> Networking options
# -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
# -> Core Netfilter Configuration
# -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
make uImage && make modules && make modules_installStep 6 . Install the newly patched iptables
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild qmergeExamples at http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO-3.html
And you're done
