Discussion:
ban traffic per country
Al Grant
2014-10-02 17:27:10 UTC
Permalink
Hi All,

I have a Amazon instance running asterisk. I think it also has fail2ban running.

I want to lock it down a little as I have opened up some ports for
asterisk to run.

In essence no traffic should connect to it except from my country .nz

Is there a way to do this? I see a few websites list some very long
lists of iptables per country.

Cheers

-Al
--
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Noel Kuntze
2014-10-02 17:35:48 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Al,

Yes, that is possible. Get the list of subnets that is assigned to the =
ISPs in
New Zealand and put it into an ipset. Then match on said ipset with the=
"set"
match module.

Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
=46ingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has fail2b=
an running.
Post by Al Grant
I want to lock it down a little as I have opened up some ports for
asterisk to run.
In essence no traffic should connect to it except from my country .nz
Is there a way to do this? I see a few websites list some very long
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJULYz0AAoJEDg5KY9j7GZYWloQAISdZ9eh48B9Verdp1uKPDo0
DqBK/yvoDjbVvVH9DPc0r4T9niOsfrnUwHwCrkbJeIZy1nXjzubHZQsaOWD+lAd5
D/g8Owg6s82KKxCMQiuOQ8757Yya39cQPpOhRHq/RAL/LYe7z/36uq87bB4Empb2
iFQ+MiDUmCIFjV5tjbOHchSU4e9RMtMB0FOfkwq2sdKtPyVWdlwUDpig6MNPEazF
ftKEAQjLARt/Q+9WcXqgObyq3r2qgqqMnzdeXbgLHLnh/PI4MhmDP0eDEsQw10+z
QRwqbQ/fdRtZVTDxgFLDovICsDjv+Sd1vZoOQ6JOkHBKOMiurZtJYXTBzrDB2PXl
IeCbvcpTKBpYiSuTyslWF8NDKFNZ0n0yDjHchwat64LEKnlurxLmK+eqXhZ+WkuB
=468qctSEXcirdG/1HFwTh99z4A/3IONz1YYj9yaeqfGer512Imwk+5gv5spThDjCr
vWOyLQaiTaNRldLjQnFRMLnVRG08m5EVk1KwRhy2nw0DB7o2nhQIxB7ooNwiM1MF
EujimHn+22xiijUfinAmQTCE906fqsgEgw7+4ohL8VrSWc78HpLa92J3GVxkiT33
YYDHnPvCT2oK9QtpB8zn/MBZw6wXvuXRWfnm9OwGWCuD1vDqXGDGtlGqGqEgDV9/
9/1E8+kvwY79busU3317
=3DiFBn
-----END PGP SIGNATURE-----

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Noel Kuntze
2014-10-02 17:51:23 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Al,

Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain a =
couple of layer
three and four information, like IP addresses or ports. You can match o=
n said
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you can=
't
load them.
Example rules and ipset:

Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP

ipset:
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12

The rule matches on all traffic, that does not come from an IP that is =
contained in
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it's =
supposed to go
on your host. On Arch Linux, you have /etc/ipset.conf.

Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
=46ingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to th=
e ISPs in
New Zealand and put it into an ipset. Then match on said ipset with t=
he "set"
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has fa=
il2ban running.
Post by Al Grant
I want to lock it down a little as I have opened up some ports fo=
r
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my country=
.nz
Post by Al Grant
Is there a way to do this? I see a few websites list some very lo=
ng
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Humberto Jucá
2014-10-02 20:42:08 UTC
Permalink
Hi,

Take a look here:
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtab=
les-geoip
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain =
a couple of layer
Post by Noel Kuntze
three and four information, like IP addresses or ports. You can match=
on said
Post by Noel Kuntze
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you c=
an't
Post by Noel Kuntze
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that i=
s contained in
Post by Noel Kuntze
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it'=
s supposed to go
Post by Noel Kuntze
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to t=
he ISPs in
Post by Noel Kuntze
New Zealand and put it into an ipset. Then match on said ipset with =
the "set"
Post by Noel Kuntze
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has f=
ail2ban running.
Post by Noel Kuntze
Post by Al Grant
I want to lock it down a little as I have opened up some ports f=
or
Post by Noel Kuntze
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my countr=
y .nz
Post by Noel Kuntze
Post by Al Grant
Is there a way to do this? I see a few websites list some very l=
ong
Post by Noel Kuntze
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe netfilter" =
in
Post by Noel Kuntze
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-03 23:58:41 UTC
Permalink
Thanks for that.

I will read up on both.

The number of attacks coming out of China and Russia is amazing.

Cheers

-Al
Hi,
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xt=
ables-geoip
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain=
a couple of layer
Post by Noel Kuntze
three and four information, like IP addresses or ports. You can matc=
h on said
Post by Noel Kuntze
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you =
can't
Post by Noel Kuntze
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that =
is contained in
Post by Noel Kuntze
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it=
's supposed to go
Post by Noel Kuntze
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to =
the ISPs in
Post by Noel Kuntze
New Zealand and put it into an ipset. Then match on said ipset with=
the "set"
Post by Noel Kuntze
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has =
fail2ban running.
Post by Noel Kuntze
Post by Al Grant
I want to lock it down a little as I have opened up some ports =
for
Post by Noel Kuntze
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my count=
ry .nz
Post by Noel Kuntze
Post by Al Grant
Is there a way to do this? I see a few websites list some very =
long
Post by Noel Kuntze
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe netfilter"=
in
Post by Noel Kuntze
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" =
in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-03 23:59:12 UTC
Permalink
I am running Pbx In a Flash (PIAF) which is on Red Hat BTW.
Hi,
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xt=
ables-geoip
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain=
a couple of layer
Post by Noel Kuntze
three and four information, like IP addresses or ports. You can matc=
h on said
Post by Noel Kuntze
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you =
can't
Post by Noel Kuntze
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that =
is contained in
Post by Noel Kuntze
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it=
's supposed to go
Post by Noel Kuntze
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to =
the ISPs in
Post by Noel Kuntze
New Zealand and put it into an ipset. Then match on said ipset with=
the "set"
Post by Noel Kuntze
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has =
fail2ban running.
Post by Noel Kuntze
Post by Al Grant
I want to lock it down a little as I have opened up some ports =
for
Post by Noel Kuntze
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my count=
ry .nz
Post by Noel Kuntze
Post by Al Grant
Is there a way to do this? I see a few websites list some very =
long
Post by Noel Kuntze
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe netfilter"=
in
Post by Noel Kuntze
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" =
in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-05 02:56:35 UTC
Permalink
Hi Noel,

So I have started to read manpages on ipset. Its left me with a few que=
stions.

Could you break the command down into pieces?

I get "ipset create new-Zealand" but why store it as a hash?

What datatypes doesn't net include for example?

The explanation in the manual for the rest " inet hashsize 1024
maxelem 65535" I didn't understand either.

It would be nice to understand what I am doing rather than blindly
copying your commands - where's the learning in that!

The iptables rule I am ok with.

=46inally you talk about ipset.conf ? I have installed ipset - but a
"find / -name ipset.conf" didn't find anything so Im not sure that
file exists anywhere on my system (RedHat).

What should I be adding to ipset.conf when I find it.

Thanks in advance,

-Al
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain =
a couple of layer
Post by Noel Kuntze
three and four information, like IP addresses or ports. You can match=
on said
Post by Noel Kuntze
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you c=
an't
Post by Noel Kuntze
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that i=
s contained in
Post by Noel Kuntze
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it'=
s supposed to go
Post by Noel Kuntze
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to t=
he ISPs in
Post by Noel Kuntze
New Zealand and put it into an ipset. Then match on said ipset with =
the "set"
Post by Noel Kuntze
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has f=
ail2ban running.
Post by Noel Kuntze
Post by Al Grant
I want to lock it down a little as I have opened up some ports f=
or
Post by Noel Kuntze
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my countr=
y .nz
Post by Noel Kuntze
Post by Al Grant
Is there a way to do this? I see a few websites list some very l=
ong
Post by Noel Kuntze
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Noel Kuntze
2014-10-05 11:20:53 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Al,

I'm going to break it down for you.

The reason for storing it as a hash is, that that hash:net is the only =
storage type that only requires a subnet.
Every other type requires either more arguments (hash:net,net, hash:net=
,port) or doesn't support the :net data type.

You need family inet, because you're working IPv4 addresses. If you wan=
t to work with ipv6 addresses, you need to use
family inet6.

hashsize and maxelem aren't really needed, as I just gave you the defau=
lt values for those.

If your distro doesn't come with a default ipset.conf file, you should =
create one.
The file "ipset.conf" just contains the ipset structure with the member=
s.
If you created an ipset using the "ipset" tool, you can store it using =
"ipset -f <pathToTheSaveFile> save".
To load the ipset before you load the iptables rules, you also need cre=
ate a service with the correct dependencies.


Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
=46ingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi Noel,
So I have started to read manpages on ipset. Its left me with a few q=
uestions.
Post by Al Grant
Could you break the command down into pieces?
I get "ipset create new-Zealand" but why store it as a hash?
What datatypes doesn't net include for example?
The explanation in the manual for the rest " inet hashsize 1024
maxelem 65535" I didn't understand either.
It would be nice to understand what I am doing rather than blindly
copying your commands - where's the learning in that!
The iptables rule I am ok with.
Finally you talk about ipset.conf ? I have installed ipset - but a
"find / -name ipset.conf" didn't find anything so Im not sure that
file exists anywhere on my system (RedHat).
What should I be adding to ipset.conf when I find it.
Thanks in advance,
-Al
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain =
a couple of layer
Post by Al Grant
three and four information, like IP addresses or ports. You can match=
on said
Post by Al Grant
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you c=
an't
Post by Al Grant
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that i=
s contained in
Post by Al Grant
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it'=
s supposed to go
Post by Al Grant
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned t=
o the ISPs in
Post by Al Grant
New Zealand and put it into an ipset. Then match on said ipset wi=
th the "set"
Post by Al Grant
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has=
fail2ban running.
Post by Al Grant
Post by Al Grant
I want to lock it down a little as I have opened up some ports=
for
Post by Al Grant
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my coun=
try .nz
Post by Al Grant
Post by Al Grant
Is there a way to do this? I see a few websites list some very=
long
Post by Al Grant
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUMSmVAAoJEDg5KY9j7GZYIbMQAJvh8r/K5FQwRDmQocmR/+em
r0pfykS5ti76+sj1yX1Rei5q1jBWmvkVRFwxNQP9ShPr9C/f9Kj0ivS9S/vgCXDT
b/Tg+ykCYnutf5n2bM4oX3dby0+Pn0Q33yZws6QKT/YQIiOnvgitVIKhMpHuZCvm
+GawpF/6iEz8uZ4z9Ib2Z9PABLrvHfpMC4Dt+EhOGqwCb3ZAYaCFAiB0rrTSWPVq
daBRmpgMasKXUNo2fZSXkt9tGYifLHRpBagqiIkMBcMvh2TlQJK3jyIVrjd8DRWh
DHVV+C7tID6OhayFivjz1jOoaynini/spJ7WIMbMI3udIN3XMxZt9ZtmrjOctKQI
ge4C0mDcdUDvc9opbenzOO7k6ZcXC+wdYpQ5FAC9onxgajpOKsDiPcBzf6Xgrnc6
61aQcdc/py2aBol6zvYMOssa1a0gL8AqwGGkI6RRsLkD45sz7f7B2dPfSYqmTzEo
CMOwusRFefHBNDIRDuMRLA5lYAyu8j48GxoGtppj0XF+Adcr58vcUU9dF7eSQsqS
fhIzkk4DJaLq7LH4x9RQ05SP6ke2LRCMFPbh/zvBUQ+fLoJ5gTZveypZxN6mE3MR
f7d2NQgBuxieZPCwr4yY2yGc+j+DURSooJv1+/Gb6zrxSbEWsAVQfoF5+vyT7rtX
1tpgxsf7get0hciX23Di
=3DYyjO
-----END PGP SIGNATURE-----


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-09 07:54:52 UTC
Permalink
Thank Noel.

I got around to doing some more reading about ipset and added your rule=
s.

Looking at counters and having done some testing they are not getting
applied. I say this based on the counters (ie)

https://dpaste.de/9QG0#L21

Should the rules be at the top?

Thanks again

-Al
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
I'm going to break it down for you.
The reason for storing it as a hash is, that that hash:net is the onl=
y storage type that only requires a subnet.
Post by Noel Kuntze
Every other type requires either more arguments (hash:net,net, hash:n=
et,port) or doesn't support the :net data type.
Post by Noel Kuntze
You need family inet, because you're working IPv4 addresses. If you w=
ant to work with ipv6 addresses, you need to use
Post by Noel Kuntze
family inet6.
hashsize and maxelem aren't really needed, as I just gave you the def=
ault values for those.
Post by Noel Kuntze
If your distro doesn't come with a default ipset.conf file, you shoul=
d create one.
Post by Noel Kuntze
The file "ipset.conf" just contains the ipset structure with the memb=
ers.
Post by Noel Kuntze
If you created an ipset using the "ipset" tool, you can store it usin=
g "ipset -f <pathToTheSaveFile> save".
Post by Noel Kuntze
To load the ipset before you load the iptables rules, you also need c=
reate a service with the correct dependencies.
Post by Noel Kuntze
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi Noel,
So I have started to read manpages on ipset. Its left me with a few =
questions.
Post by Noel Kuntze
Post by Al Grant
Could you break the command down into pieces?
I get "ipset create new-Zealand" but why store it as a hash?
What datatypes doesn't net include for example?
The explanation in the manual for the rest " inet hashsize 1024
maxelem 65535" I didn't understand either.
It would be nice to understand what I am doing rather than blindly
copying your commands - where's the learning in that!
The iptables rule I am ok with.
Finally you talk about ipset.conf ? I have installed ipset - but a
"find / -name ipset.conf" didn't find anything so Im not sure that
file exists anywhere on my system (RedHat).
What should I be adding to ipset.conf when I find it.
Thanks in advance,
-Al
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain=
a couple of layer
Post by Noel Kuntze
Post by Al Grant
three and four information, like IP addresses or ports. You can matc=
h on said
Post by Noel Kuntze
Post by Al Grant
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you =
can't
Post by Noel Kuntze
Post by Al Grant
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that =
is contained in
Post by Noel Kuntze
Post by Al Grant
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it=
's supposed to go
Post by Noel Kuntze
Post by Al Grant
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned =
to the ISPs in
Post by Noel Kuntze
Post by Al Grant
New Zealand and put it into an ipset. Then match on said ipset w=
ith the "set"
Post by Noel Kuntze
Post by Al Grant
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also ha=
s fail2ban running.
Post by Noel Kuntze
Post by Al Grant
Post by Al Grant
I want to lock it down a little as I have opened up some port=
s for
Post by Noel Kuntze
Post by Al Grant
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my cou=
ntry .nz
Post by Noel Kuntze
Post by Al Grant
Post by Al Grant
Is there a way to do this? I see a few websites list some ver=
y long
Post by Noel Kuntze
Post by Al Grant
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUMSmVAAoJEDg5KY9j7GZYIbMQAJvh8r/K5FQwRDmQocmR/+em
r0pfykS5ti76+sj1yX1Rei5q1jBWmvkVRFwxNQP9ShPr9C/f9Kj0ivS9S/vgCXDT
b/Tg+ykCYnutf5n2bM4oX3dby0+Pn0Q33yZws6QKT/YQIiOnvgitVIKhMpHuZCvm
+GawpF/6iEz8uZ4z9Ib2Z9PABLrvHfpMC4Dt+EhOGqwCb3ZAYaCFAiB0rrTSWPVq
daBRmpgMasKXUNo2fZSXkt9tGYifLHRpBagqiIkMBcMvh2TlQJK3jyIVrjd8DRWh
DHVV+C7tID6OhayFivjz1jOoaynini/spJ7WIMbMI3udIN3XMxZt9ZtmrjOctKQI
ge4C0mDcdUDvc9opbenzOO7k6ZcXC+wdYpQ5FAC9onxgajpOKsDiPcBzf6Xgrnc6
61aQcdc/py2aBol6zvYMOssa1a0gL8AqwGGkI6RRsLkD45sz7f7B2dPfSYqmTzEo
CMOwusRFefHBNDIRDuMRLA5lYAyu8j48GxoGtppj0XF+Adcr58vcUU9dF7eSQsqS
fhIzkk4DJaLq7LH4x9RQ05SP6ke2LRCMFPbh/zvBUQ+fLoJ5gTZveypZxN6mE3MR
f7d2NQgBuxieZPCwr4yY2yGc+j+DURSooJv1+/Gb6zrxSbEWsAVQfoF5+vyT7rtX
1tpgxsf7get0hciX23Di
=3DYyjO
-----END PGP SIGNATURE-----
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-05 03:19:54 UTC
Permalink
PS: The Amazon server is NAT'd so I presume I need to add the local
(LAN) subnet to be allowed too?
Post by Noel Kuntze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain =
a couple of layer
Post by Noel Kuntze
three and four information, like IP addresses or ports. You can match=
on said
Post by Noel Kuntze
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you c=
an't
Post by Noel Kuntze
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that i=
s contained in
Post by Noel Kuntze
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it'=
s supposed to go
Post by Noel Kuntze
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to t=
he ISPs in
Post by Noel Kuntze
New Zealand and put it into an ipset. Then match on said ipset with =
the "set"
Post by Noel Kuntze
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Al Grant
Hi All,
I have a Amazon instance running asterisk. I think it also has f=
ail2ban running.
Post by Noel Kuntze
Post by Al Grant
I want to lock it down a little as I have opened up some ports f=
or
Post by Noel Kuntze
Post by Al Grant
asterisk to run.
In essence no traffic should connect to it except from my countr=
y .nz
Post by Noel Kuntze
Post by Al Grant
Is there a way to do this? I see a few websites list some very l=
ong
Post by Noel Kuntze
Post by Al Grant
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Al Grant
2014-10-05 04:59:59 UTC
Permalink
"Every expert began as an amateur" - Jeffery Fry

No offence taken.

I have goggled it, read the man pages, which didn't explain why for
example those addresses must, or should be stored as hashes - and some
of the other parameters I saw there.

man pages are helpful - but sometime brief and while they explain the
what, not always explain the why.

In terms of my end game which could be best described as enforcement
of whitelist on my amazon asterisk server, I have also played with
fail2ban, astsec and a few other packages.

I have also actually tried Noels suggestion.

All in all (admittedly some of it falls outside ipset) I have invested
several hours experimenting with this problem/solution.

I hope this explains my situation and attempts to educate myself so far=
=2E

Regards

-Al
Al,
No disrespect but have you taken more than 5min to google what you ar=
e
asking for? Also, ipset does have documentation which is easily locat=
able
--
Payam Chychi
Network Engineer / Security Specialist
PS: The Amazon server is NAT'd so I presume I need to add the local
(LAN) subnet to be allowed too?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Al,
Please keep it on the list.
An ipset is basicly external storage in kernel space. It can contain =
a
couple of layer
three and four information, like IP addresses or ports. You can match=
on
said
characteristica with the "set" iptables match module.
You need to load the ipset before you load the rules, otherwise you c=
an't
load them.
Rule: -A INPUT -m set ! --match-set new-zealand src -j DROP
create new-zealand hash:net family inet hashsize 1024 maxelem 65535
add new-zealand 10.0.0.0/8
add new-zealand 172.16.0.0/12
The rule matches on all traffic, that does not come from an IP that i=
s
contained in
any of the networks contained in the set "new-zealand".
I don't know what distribution you use, so I can't tell you where it'=
s
supposed to go
on your host. On Arch Linux, you have /etc/ipset.conf.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Thanks for the fast reply Noel.
Im not particularly good with iptables or ipset. Would you mind
providing a little more detail?
Thanks in advance,
-Al
Hello Al,
Yes, that is possible. Get the list of subnets that is assigned to th=
e ISPs
in
New Zealand and put it into an ipset. Then match on said ipset with t=
he
"set"
match module.
Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Hi All,
I have a Amazon instance running asterisk. I think it also has fail2b=
an
running.
I want to lock it down a little as I have opened up some ports for
asterisk to run.
In essence no traffic should connect to it except from my country .nz
Is there a way to do this? I see a few websites list some very long
lists of iptables per country.
Cheers
-Al
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJULZCbAAoJEDg5KY9j7GZYL/YP+wVI3lCcUyPKmcQ2qWeRjdjb
t85yNJ+TTkQpbb4auPrEW+uaQraA9KeVu2DEyx3y0xATl2opZW8VOO8I3yQshQdD
eXUGVgGTjgB49EHickyQiVMwqlwexNJXJTUDFKrUctuclVBGKRbuuNwJRpRaT2sV
XTxPWB0ESPGiN/2yVHI5hz8ZNUhNYdJsxo3pz3EsUVQXkxvT9GSIpy1W8boPTx7i
Rsvg8CyehF7BkjVhp8CbqBnCb4+pV/sUBn6Z7HGdCUuTG6II5akMk058pEYXMr4r
ZwbMaTMraaVTDei69CmQpwpETtMwIWokcnd8yzoZexAFCWJ03ICFCCXS+hEVDtxD
fvO72gUNgXFl0olMA8MKBqm0jtMnQF+3hLitVJjSUt/jESsujQhjit9zZXplXayi
8A29SdgnpaDwm+LUwod86hjCJDEbPXoVuVOz7bCa+K4kBCsqXnBn1JfwJdAGV+lM
OAhG+VZqMzTrGW+yCefM+DFZNi3oxEAmBCl7aMxSymA2n5x85/dnE7c4fO+GF0re
MvuJA1g0mET1PxIlGcZHvI8gtOgSzxbWmnLCogeFqQu1pHd9MEBesBMswl0HFS1R
piuCQzklRPaRfFrZPaMf7o+svN77QOVFQ6RPh1F/dDIGqzKrEytThJ0oyl1GarEG
bdSlMjwlH87HxoNaNMMX
=3DrP2h
-----END PGP SIGNATURE-----
--
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" =
in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--=20
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...