[opensuse] Blocking foreigners!
Is it possible to configure IPTables to only allow connections from a particular country? Is there an online list of all the subnets used in each country? I have a webserver which I only want UK residents accessing but I've not been able to determine a complete list of IP's If I just blocked all non-RIPE addresses that would restrict me to Europe only but there doesn't seem to be a list per country, does that mean they're all mixed up? Regards Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthew Stringer wrote:
Is it possible to configure IPTables to only allow connections from a particular country?
Is there an online list of all the subnets used in each country?
You might look here. http://www.maxmind.com/app/ip-location I don't know much about it but it seems it may offer what you need. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 27 February 2007 11:04, Matthew Stringer wrote:
Is it possible to configure IPTables to only allow connections from a particular country?
Is there an online list of all the subnets used in each country?
I have a webserver which I only want UK residents accessing but I've not been able to determine a complete list of IP's
You do realise that many of the people who read this list are dreadful foreigners too, don't you? Some of them are even the type of chap who would throw another chap's tea into a harbour and declare themselves independent! However, they soon came crawling back, begging to be ruled by King George again ... oh, no, wait a minute ... maybe they didn't. Some even say that SuSE itself may have once had foreigners coding for it, though of course I believe that a system invented by someone with a fine old English name like Torvalds would never really talk to a person from a horrid, 'abroad' country. But seriously, it's called 'the internet' for a reason, and you may find you get a more sympathetic response if you can tell us why you would want to do such a thing. Usually projects like that are associated with dicatatorships - I assume you have something more innocent than mere xenophobia on hand?
If I just blocked all non-RIPE addresses that would restrict me to Europe only but there doesn't seem to be a list per country, does that mean they're all mixed up?
Regards
Matthew
-- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: 0161 834 7961 Fax: 0161 839 5797 http://www.chethams.org.uk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fergus Wilde wrote:
foreigners too, don't you? Some of them are even the type of chap who would throw another chap's tea into a harbour and declare themselves independent! We did not! We threw it into a _harbor_ :-) Thanks for the friendly poke. I needed a laugh this morning
Damon Register -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 27 February 2007 11:36:21 Fergus Wilde wrote:
On Tuesday 27 February 2007 11:04, Matthew Stringer wrote:
Is it possible to configure IPTables to only allow connections from a particular country?
But seriously, it's called 'the internet' for a reason, and you may find you get a more sympathetic response if you can tell us why you would want to do such a thing. Usually projects like that are associated with dicatatorships - I assume you have something more innocent than mere xenophobia on hand?
OK I run a free online game service in the UK it's open to anyone to play. If a game has a custom map and you download that from the game server it takes ages so I have all the maps on a separate webserver. However it's constantly being leached to a ridiculous extent (always at my concurrent limit in Apache) by people who just want the files, if I check their IP's they're never coming from the UK. I don't have unlimited bandwidth so have to restrict it. But the problem there is that the UK based people who are playing the game can't access the webserver as all the slots are constantly used. I can't password it as the wget function of the games doesn't support it. My view is that if you're not playing my game servers you shouldn't be downloading my game files. Cheers Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Feb 27, 2007 at 12:17:23PM +0000, Matthew Stringer wrote:
I run a free online game service in the UK it's open to anyone to play.
However it's constantly being leached to a ridiculous extent (always at my concurrent limit in Apache) by people who just want the files, if I check their IP's they're never coming from the UK.
I don't have unlimited bandwidth so have to restrict it. But the problem there is that the UK based people who are playing the game can't access the webserver as all the slots are constantly used.
My view is that if you're not playing my game servers you shouldn't be downloading my game files.
Surely then, it would be a better policy to restrict downloads to those who are actually playing the game? E.g. use some kind of "port knocking" style scheme where only IPs that are connected to the game server can get to the webserver? Restricting it to UK-only does seem overly punishing. For example, if I wanted to play your game at work (I wouldn't, as it's against company policy, but let's say I did), then my accesses would appear to be coming from France (since that's where the company's internet gateway is), so I would be blocked, even though I'm most definitely on the northern side of the English Channel... -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 27 February 2007 13:05:10 David SMITH wrote:
On Tue, Feb 27, 2007 at 12:17:23PM +0000, Matthew Stringer wrote:
I run a free online game service in the UK it's open to anyone to play.
However it's constantly being leached to a ridiculous extent (always at my concurrent limit in Apache) by people who just want the files, if I check their IP's they're never coming from the UK.
I don't have unlimited bandwidth so have to restrict it. But the problem there is that the UK based people who are playing the game can't access the webserver as all the slots are constantly used.
My view is that if you're not playing my game servers you shouldn't be downloading my game files.
Surely then, it would be a better policy to restrict downloads to those who are actually playing the game? E.g. use some kind of "port knocking" style scheme where only IPs that are connected to the game server can get to the webserver?
That would work however the game server and the web server are in different locations I didn't want any traffic going over the GS's network other than game traffic. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthew Stringer wrote:
My view is that if you're not playing my game servers you shouldn't be downloading my game files.
I'm assuming your game maps are available over a public URL. How about handing out one-time URLs only to people who play the game? /Per Jessen, Zürich -- http://www.spamchek.com/ - managed email security. Starting at SFr1/month/user. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-02-27 at 14:39 +0100, Per Jessen wrote:
My view is that if you're not playing my game servers you shouldn't be downloading my game files.
I'm assuming your game maps are available over a public URL. How about handing out one-time URLs only to people who play the game?
Could it be that web crawlers, such as google search engine, are searching his web? If that's so, a simple password scheme would work - no, hold on, I think he said the game didn't support it. Another method to impede crawlers or robots, perhaps? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFF5FFPtTMYHG2NR9URAoWkAJ0Ww5Wb46edREHEBAWNQPmUjTek0ACfcxFg W+iLAb9PqydciZ3AdaSeLiU= =rNPv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2/27/07, Carlos E. R.
Another method to impede crawlers or robots, perhaps?
A robots.txt file should do the job, if it's only a matter of blocking search engine crawler's traffic. -- => Don't Let Your Fears Stand in The Way of Your Dreams !!! <= => http://www.delymyth.net/ ~ http://wiki.delymyth.net/ <= => FREE Hardware Anti-Virus!!! - /dev/brain <= -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Quoting Fergus Wilde
You do realise that many of the people who read this list are dreadful foreigners too, don't you? Some of them are even the type of chap who would throw another chap's tea into a harbour and declare themselves independent! However, they soon came crawling back, begging to be ruled by King George again ... oh, no, wait a minute ... maybe they didn't.
Unfortunately, we in the US seem to be ruled by King George without having crawled back. But sometimes it seems the UK is ruled by King George also thru a puppet/proxy/patsy. As the Grateful Dead say, "What a long strange trip it's been." ;) Jeffrey -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 27 February 2007 13:14, Jeffrey Taylor wrote:
... As the Grateful Dead say, "What a long strange trip it's been."
It's over?? Where did we end up?
;) Jeffrey
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jeffrey Taylor wrote:
Quoting Fergus Wilde
: [snip] You do realise that many of the people who read this list are dreadful foreigners too, don't you? Some of them are even the type of chap who would throw another chap's tea into a harbour and declare themselves independent! However, they soon came crawling back, begging to be ruled by King George again ... oh, no, wait a minute ... maybe they didn't.
Unfortunately, we in the US seem to be ruled by King George without having crawled back. But sometimes it seems the UK is ruled by King George also thru a puppet/proxy/patsy. As the Grateful Dead say, "What a long strange trip it's been."
;) Jeffrey
LOL It's nothing personal, if I could run a global game service I would but when you have a web server that's using nearly 100Mb/s of bandwidth continually 24/7 the people that own that bandwidth start to notice! Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthew Stringer wrote:
It's nothing personal, if I could run a global game service I would but when you have a web server that's using nearly 100Mb/s of bandwidth continually 24/7 the people that own that bandwidth start to notice!
You could perhaps take note of the worst "offenders" and/or their networks, and then either block them completely or limit the bandwidth you allow them to use. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed email security. Starting at SFr1/month/user. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jeffrey Taylor wrote:
Quoting Fergus Wilde
: [snip] You do realise that many of the people who read this list are dreadful foreigners too, don't you? Some of them are even the type of chap who would throw another chap's tea into a harbour and declare themselves independent! However, they soon came crawling back, begging to be ruled by King George again ... oh, no, wait a minute ... maybe they didn't.
Unfortunately, we in the US seem to be ruled by King George without having crawled back. But sometimes it seems the UK is ruled by King George also thru a puppet/proxy/patsy. As the Grateful Dead say, "What a long strange trip it's been."
Fortunately (!) he seems to only have control of our military. I'm sure all that'll change under Cameron. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
You can user IP2Country database, a CSV file with IP ranges (decimal) by country. Google for "ip2country database". Use your imagination to apply the data to iptables. :-) I'd use mysql and php. HTH, Pedro -----Original Message----- From: Matthew Stringer [mailto:qube@firstnet.co.uk] Sent: terça-feira, 27 de Fevereiro de 2007 11:04 To: opensuse@opensuse.org Subject: [opensuse] Blocking foreigners! Is it possible to configure IPTables to only allow connections from a particular country? Is there an online list of all the subnets used in each country? I have a webserver which I only want UK residents accessing but I've not been able to determine a complete list of IP's If I just blocked all non-RIPE addresses that would restrict me to Europe only but there doesn't seem to be a list per country, does that mean they're all mixed up? Regards Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 27 Feb 2007, Matthew Stringer
Is it possible to configure IPTables to only allow connections from a particular country?
In a round-about way, yes.
Is there an online list of all the subnets used in each country?
Have you looked at the RIPE FTP server? They have a complete list of all allocations of the space they allocate[0], which country it's allocated to, and the list is updated on a daily basis. You can find a copy of it here: URL:ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
I have a webserver which I only want UK residents accessing but I've not been able to determine a complete list of IP's
I'm curious as to why you'd only want it accessible by UK residents, rather than everyone. Also, any reason why you couldn't just use .htaccess to password-protect the pages? Much easier, unless you want to make it appear that there is no server running.
If I just blocked all non-RIPE addresses that would restrict me to Europe only but there doesn't seem to be a list per country, does that mean they're all mixed up?
Yes, they're very well mixed up. You'll find allocations of varying sizes allocated to a variety of countries, and in no apparent order. The fun part of doing this would be extracting the data from the list and converting it to a suitable format for iptables. The reason for the conversion? For the ipv4 entries, the data has the start IP address and the total number of IP addresses allocated. You will need to convert from that format to CIDR format. Details of the format used is here: URL:ftp://ftp.ripe.net/pub/stats/ripencc/RIR-Statistics-Exchange-Format.txt [0] They also include the daily lists for the other NICs as well, although they may be more than 24 hours old. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ RISCOS 3.11 | SUSE 10.0 32bit | SUSE 10.0 64bit | openSUSE 10.2 32bit RISCOS 3.6 | SUSE 10.1 32bit | SUSE 10.1 64bit | openSUSE 10.2 64bit TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3a1 32bit -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2/27/07, David Bolt
On Tue, 27 Feb 2007, Matthew Stringer
wrote:- Is it possible to configure IPTables to only allow connections from a particular country?
In a round-about way, yes.
Is there an online list of all the subnets used in each country?
Have you looked at the RIPE FTP server? They have a complete list of all allocations of the space they allocate[0], which country it's allocated to, and the list is updated on a daily basis. You can find a copy of it here:
URL:ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
I have a webserver which I only want UK residents accessing but I've not been able to determine a complete list of IP's
I'm curious as to why you'd only want it accessible by UK residents, rather than everyone. Also, any reason why you couldn't just use .htaccess to password-protect the pages? Much easier, unless you want to make it appear that there is no server running.
I would not bother doing this. I've bumped into quite a number of such services limited to some country IP addresses. To my money it does not worth the time spent on such protection. Immediately you'll find another services that suggest "anonymizing proxy" with addresses from that specific country. I've also seen another type of "country related) protection: one site requests username and password, that are actually the answer to some quiz. The question itself is very simple for the "natives" of this country, like the names of the characters from kids cartoons. They also change it from time to time. But it is written using some native encoding in such a way that normal browsers display it in the message box as "abracadabra" and only "localized" version of M$ browser can display it properly... Still this is easily breakable. Using text mode browser in Linux (like lynx or w3m) it is possible to store the "quiz" message box to text file and then decode it using e.g. Kate. What a luck that it is not applicable to English-speaking countries :-) -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (14)
-
Carlos E. R.
-
Damon Register
-
Dave Howorth
-
David Bolt
-
David SMITH
-
DElyMyth
-
Fergus Wilde
-
Jeffrey Taylor
-
Mark Goldstein
-
Matthew Stringer
-
Pedro Marques
-
Per Jessen
-
Randall R Schulz
-
Russell Jones