On 03/24/2014 06:08 PM, Timothy Butterworth wrote:

On Monday, March 24, 2014 03:13:10 AM Timothy Butterworth wrote:

...

If you are simply going to drop all packets silently (recommend) then use the iptables hash function as it uses less memory and processes faster as well. Their are a lot of examples available on the internet. If you are allowing established connections and have not implemented deny by default permit by exception in and out then place this above your established statements inbound. Also use supernet to block their entire country range to reduce the number of entries. You can also make statements to block outbound as well Mascarade is not an issue with this make sure you are blocking as source inbound and destination outbound.

I am on my cell I'll take a look at your attachment when I get a chance.

Here is an article that describes an easy way to implement a full country block. http://www.itworld.com/security/397733/how-block-traffic-other-countries-lin...

I somehow missed your original message. Anyways, I didn't find anything about hashing at a quick glance. I'm going to dig a bit deeper the next days. Basically, what I have now and what I'd like to optimize a bit is this: #!/bin/bash IPTABLES="/sbin/iptables" ANY="0.0.0.0/0" BLOCKDIR="blocklist.d" if ! test -d ${BLOCKDIR}; then mkdir ${BLOCKDIR} fi curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o ${BLOCKDIR}/cn.zone curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o ${BLOCKDIR}/kr.zone curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o ${BLOCKDIR}/ps.zone for FILE in ${BLOCKDIR}/*zone; do for ADDRESS in $(cat ${FILE}); do $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix "Packet log: COUNTRY BLOCK " $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix "Packet log: COUNTRY BLOCK " done done This is executed in my main firewall script before my custom rules are set. -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface