On 16/01/2019 02:04, Jobst Schmalenbach wrote:
On Tue, Jan 15, 2019 at 07:43:02AM +0000, Phil Perry (pperry@xxxxxxxxxx) wrote:
On 15/01/2019 01:29, Jobst Schmalenbach wrote:
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@xxxxxxxxxx) wrote:
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Below is my script for creating/updating an ipset to block my top 10
Hope that helps
Thanks, it did, cleared up conflicting info I found on the Internet.
Great.
I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ).
There are even more conflicting ideas about how to do this, but I figured it out.
How you handle that will depend on the default policy of the chain.
I would use 2 rules - the first to accept connections from AU,NZ, and a
second rule subsequently DROPing all other connections, as this will
work regardless of the default policy of the chain and the intention of
the rules is clear to anyone reading them.
Also I cannot see a difference in speed between using (maxmind)
-A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT
and (ipdeny)
-A filter_countries -m set --set au.geoblock src -j ACCEPT
which is really good!
Yes, ipset is really efficient. My top 10 bad countries set above
contains over 28,000 individual netblocks and runs on my EdgeRouter
Lite, with a 500MHz embedded processor. The device is capable of Gigabit
throughput, and I see no impact upon throughput with multiple iptables
rules, many based on large ipsets.
Jobst
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
