{"id":1339,"date":"2018-12-14T12:16:02","date_gmt":"2018-12-14T11:16:02","guid":{"rendered":"http:\/\/diablo.craem.net\/?p=1339"},"modified":"2018-12-14T12:16:02","modified_gmt":"2018-12-14T11:16:02","slug":"geoip-debian-wheezy-7","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=1339","title":{"rendered":"GEoIP Debian Wheezy (7)"},"content":{"rendered":"\n<p>Otra entrada de apunte&#8230;. esta vez, quiero permitir el acceso al puerto 25 de mi mailserver a mi red local, vpn y subredes de espa\u00f1a; ya tengo un antispam en una m\u00e1quina separada y no me interesa que se acceda de manera habitual para entrega de correo.<br \/><br \/>\nLa entrada original, se encuentra aqu\u00ed\u00ed:<br \/><br \/>\n<a href>httpss:\/\/terminal28.com\/how-to-block-countries-using-iptables-debian\/<\/a><br \/><br \/>\nEsto es solo un ejemplo, pero se puede aplicar a m\u00e1s cosas&#8230; ssh, VoIP o lo que necesites.<\/p>\nPrimero de todo, instalamos las dependencias:<br \/><br \/><br \/>\n<code>\n# apt-get install libtext-csv-xs-perl module-assistant geoip-database libgeoip1<br \/>\n# module-assistant --verbose --text-mode auto-install xtables-addons<br \/>\n<\/code><br \/><br \/>\nUna vez instaladas las depend\u00e9ncias, instalamos las bbdd de maxmind:<br \/><br \/>\n<code>\n# mkdir \/usr\/share\/xt_geoip<br \/>\n# cd \/usr\/share\/xt_geoip<br \/>\n# wget https:\/\/terminal28.com\/wp-content\/uploads\/2013\/10\/geoip-dl-build.tar.gz<br \/>\n# tar xvf geoip-dl-build.tar.gz<br \/>\n# .\/xt_geoip_dl<br \/>\n# .\/xt_geoip_build -D . *.csv<br \/>\n# rm -fr geoip-dl-build.tar.gz<br \/>\n<\/code>\n<br \/>\n<br \/>\nUna vez aplicado, configuramos los iptables, tal que:\n<br \/>\n<br \/>\n<br \/>\n<code>\n# Generated by iptables-save v1.4.14 on Fri Jan  3 15:57:31 2014<br \/>\n*filter<br \/>\n:INPUT ACCEPT [541:131352]<br \/>\n:FORWARD ACCEPT [0:0]<br \/>\n:OUTPUT ACCEPT [528:125051]<br \/>\n:SIPDOS - [0:0]<br \/>\n:SSHDDOS - [0:0]<br \/>\n:MYSQLDOS - [0:0]<br \/>\n:SMTPDDOS - [0:0]<br \/>\n-A INPUT -m geoip --src-cc CN,UA,TW -j DROP<br \/>\n-A INPUT -s 127.0.0.0\/8 -p tcp -m tcp --dport 22109 -j ACCEPT<br \/>\n-A INPUT -s 192.168.0.0\/16 -p tcp -m tcp --dport 22109 -j ACCEPT<br \/>\n-A INPUT -s 192.168.0.0\/16 -p tcp -m tcp --dport 3306 -j ACCEPT<br \/>\n-A INPUT -s 127.0.0.0\/8 -p tcp -m tcp --dport 3306 -j ACCEPT<br \/>\n-A INPUT -s 192.168.0.0\/16 -p tcp -m tcp --dport 25 -j ACCEPT<br \/>\n-A INPUT -s 10.0.0.0\/8 -p tcp -m tcp --dport 25 -j ACCEPT<br \/>\n-A INPUT -s 127.0.0.0\/8 -p tcp -m tcp --dport 25 -j ACCEPT<br \/>\n-A INPUT -m geoip --src-cc ES -p tcp -m tcp --dport 25 -j ACCEPT<br \/>\n-A INPUT -p tcp -m tcp --dport 22109 -j SSHDDOS<br \/>\n-A INPUT -p tcp -m tcp --dport 3306 -j MYSQLDOS<br \/>\n-A INPUT -p tcp -m tcp --dport 25 -j SMTPDDOS<br \/>\n-A SIPDOS -j LOG --log-prefix \"firewall-sipdos: \" --log-level 6<br \/>\n-A SIPDOS -j DROP<br \/>\n-A SMTPDDOS -j LOG --log-prefix \"firewall-smtpddos: \" --log-level 6<br \/>\n-A SMTPDDOS -j DROP<br \/>\n-A SSHDDOS -j LOG --log-prefix \"firewall-sshddos: \" --log-level 6<br \/>\n-A SSHDDOS -j DROP<br \/>\n-A MYSQLDOS -j LOG --log-prefix \"firewall-mysqldos: \" --log-level 6<br \/>\n-A MYSQLDOS -j DROP<br \/>\n<br \/>\nCOMMIT<br \/>\n<\/code>\nEnjoy your iptables \ud83d\ude09\n<br \/><\/p>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Otra entrada de apunte&#8230;. esta vez, quiero permitir el acceso al puerto 25 de mi mailserver a mi red local, vpn y subredes de espa\u00f1a; ya tengo un antispam en una m\u00e1quina separada y no me interesa que se acceda de manera habitual para entrega de correo. La entrada original, se encuentra aqu\u00ed\u00ed: httpss:\/\/terminal28.com\/how-to-block-countries-using-iptables-debian\/ Esto [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[58,82,93,145],"class_list":["post-1339","post","type-post","status-publish","format-standard","hentry","category-linux","tag-debian","tag-geoip","tag-iptables","tag-postfi"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1339"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1339\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}