Blocking by country

chaouche yacine yacinechaouche at yahoo.com
Wed Oct 21 14:16:40 CEST 2020 

Lookup "geofence" and see if you can get any good results for what you're trying to achieve.
I am doing things at two different levels : the firewall, and the MTA (postfix).

1/ At the firewall level
With shorewall, it's as simple as giving the country codes (US, CN, FR, CA...) you want to let in or block.
My firewall's policy is to deny all access from outside except for what I explicitly authorize in the rules
Policy file looks like this

$FW     net     ACCEPT
net     $FW     DROP    INFO

Which reads : from firewall to internet : accept all. From internet to firewall, drop and log.
Now I can put the exceptions in the rules file : 

#ACTION           SOURCE                 DEST            PROTO   DEST PORTS
?SECTION NEW
ACCEPT            net:192.168.0.0/16     $FW              all
ACCEPT            net:172.16.0.0/12      $FW              all
ACCEPT            net:10.10.10.0/24      $FW              all
ACCEPT            net:^[DZ,US,TN]        $FW              all
ACCEPT            net                    $FW              tcp    $sshport,25,80,443


Which reads : lines 1-3 : create an exception for incoming connection from the LAN ; line 4 create an exception for countries DZ US TN, last line is an exception for SMTP, HTTP and HTTPS.
For this geofence to work you need 
1- a specific kernel module that allows iptables to use geoip for its filtering capabilites2- to download the database of IPs (a provided tool does that for you, but it might not work)


The detailed procedure is explained in this page from my personal wiki https://ychaouche.informatick.net/shorewallcountrybasedacls
2/ At the postfix level
I have a specific map to reject senders which contains the qq.com and another domain
root at messagerie[10.10.10.19] ~ # cat /etc/postfix/maps/reject_senders
qq.com  REJECT
uscourtsgov.com REJECT
root at messagerie[10.10.10.19] ~ #
This map file is given to the smtpd_sender_restrictions configuration option, with check_sender_access as the configured restriction, like so : 

root at messagerie[10.10.10.19] ~ # grep /etc/postfix/maps/reject_senders /etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/maps/reject_senders
root at messagerie[10.10.10.19] ~ #



Yasine.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20201021/9be9811c/attachment.htm>

More information about the amavis-users mailing list