tlhackque / BlockCountries

iptables manager for IP blocking by country
Other
32 stars 6 forks source link

dns question #9

Closed budgierless closed 8 years ago

budgierless commented 8 years ago

hi, I have a second dns server that mirrors the primary server which has the blockcountries script installed on it. What i would like to know is if i need your script installed on the secondary server or not?

when dose your script get active, before or after the requests are sent to the dns?

thanks

tlhackque commented 8 years ago

I haven't a clue what you want to do, and I'm not running a general system management forum.

Install BlockCountries on those systems where you wish, for business reasons, to prevent connections from IP addresses that are registered to certain countries. You need to setup the blocking to match your needs.

Don't install BlockCouintries on systems that have other needs. I can't tell you what your business needs.

BlockCountries is documented to implement input filtering, and optionally (with -blockout) output filtering.

With input filtering, as documented, if a TCP connection is admitted, all traffic subsequent traffic on that connection passes. For UDP, responses are permitted. This is implemented by netfilter/iptables, not BlockCountries. For output filtering, the same is true, but the directions are reversed. For details, see their man pages.

budgierless commented 8 years ago

yes I'm trying to workout if i need to install it or not, that's why I'm asking at what point dose BlockCountries script trigger and start blocking if its a blocked country trying to connect? but I think you kinda just did answer the question, TCP stage?

tlhackque commented 8 years ago

The script installs a filter that lasts until either the system is shutdown, iptables is reset, or BlockCountries stop is executed.

As long as the filter is istalled, all connections are inspected. Inbound, when the remote system tries to connect/send a UDP packet. Outbound, when the local system tries to connect to the remote.

DNS is mostly UDP, though TCP service is also REQUIRED.