Yes, however it's a pain to figure out how to set up the firewall rules. Which countries' emails are allowed through and which are blocked? Do you use a whitelist or a blacklist? You could, I think, have separate rules for different ports, but that could get complicated. I am using the United States as an example, even though I am now based in the United Kingdom. Assuming you and your users never leave the country, you can decide to accept incoming emails from anywhere but prevent them from being collected from locations outside the United States. wordle today

Based on a forum thread (search "country block"), I created this howto. See what you make of it.

[edit]
And avoid lots of iptables rules of you go down your route. Ipset sets are way more efficient.
[/edit]

I think that whitelisting would produce a smaller rule.

The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country


Block all on port 80
Allow port 80 if country = US,CA,GB,XL

I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.



right now I am working on a bash script to do this (I have echo's to debug)


#!/bin/bash
# Define chain to allow a country

echo "iptables -N Allow-Country-$1"
while read y
do
echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
done < $2
echo "iptables -A Allow-Country-$1 -j DROP"

echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1


execute like:
./Allow-geoip.sh Canada ca.zone

this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like 216.181.240.0/21

I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.

I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.


Thoughts?

Joe

Agree but crafting the firewall rules is a PITA. Do you whitelist or blacklist e.g do you allow all mail from the US or block all mail from CN, RU etc? I suppose you could have multiple rules for multiple ports but it can get to be a pain to manage. I'm picking on the US but I live in the UK, but I am using this as an example. You may want to allow inbound e-mails from anywhere but block picking up e-mails from anywhere in the US because you know that you and your users never travel outside the US.