-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Al, Please keep it on the list. An ipset is basicly external storage in kernel space. It can contain a couple of layer three and four information, like IP addresses or ports. You can match on said characteristica with the "set" iptables match module. You need to load the ipset before you load the rules, otherwise you can't load them. Example rules and ipset: Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP ipset: create new-zealand hash:net family inet hashsize 1024 maxelem 65535 add new-zealand 10.0.0.0/8 add new-zealand 172.16.0.0/12 The rule matches on all traffic, that does not come from an IP that is contained in any of the networks contained in the set "new-zealand". I don't know what distribution you use, so I can't tell you where it's supposed to go on your host. On Arch Linux, you have /etc/ipset.conf. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 02.10.2014 um 19:45 schrieb Al Grant: > Thanks for the fast reply Noel. > > Im not particularly good with iptables or ipset. Would you mind > providing a little more detail? > > Thanks in advance, > > -Al > > > On Fri, Oct 3, 2014 at 6:35 AM, Noel Kuntze <noel@xxxxxxxxxxxxxxxxx> wrote: >> > Hello Al, > > Yes, that is possible. Get the list of subnets that is assigned to the ISPs in > New Zealand and put it into an ipset. Then match on said ipset with the "set" > match module. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 02.10.2014 um 19:27 schrieb Al Grant: > >>> Hi All, > >>> > >>> I have a Amazon instance running asterisk. I think it also has fail2ban running. > >>> > >>> I want to lock it down a little as I have opened up some ports for > >>> asterisk to run. > >>> > >>> In essence no traffic should connect to it except from my country .nz > >>> > >>> Is there a way to do this? I see a few websites list some very long > >>> lists of iptables per country. > >>> > >>> Cheers > >>> > >>> -Al > >>> > >>> > >> > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi 8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG bdSlMjwlH87HxoNaNMMX =rP2h -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
