IPTABLES + IPSET =

About ME

why am i doing this talk?

• to share how i used iptables+ipset to enforce geofencing & vastly reduced spam & attacks on my mail server
• to acquire a plethora of free advise from you on how to improve the above (security, latency, loopholes, etc)
• to use the word plethora in public

something something cloud (just to validate this presentation)

your part:

• interject w/ questions, insights, advise, corrections, nonsense at any point immediately. (i have the memory of an elephant, but one w/ advanced stage alzheimers - i wont remember in 5 min.)
• its not really a bullet list if you dont have at least 2 points

You will need:

• a brain
• a tolerance for sidebars & aberrant witticism
• a linux host w/ terminal of your choice (i dont do windoze & GUIs make me suspect you didnt bring the 1st item on this list)

You will need:

• a planet full of bots, script kiddies, & nefarious underminers seeking to infiltrate aforementioned host (i will provide you one free if cant find your own)

SIDEBAR ALERT:
how indolent is a world which granted this app popularity?

things i will cover:

• basic iptables rules & chains
• why & how to use ipset
• geofencing
• my car in a hail storm
• my lies

things i will not cover:

• why iptables?
• why are there so many video games with rodents as protagonists?
• the lost art of vote counting in florida.
• why did disney cast someone who cant walk to play a hirsute biped who never speaks & whose face we never see?

Linux

iptables basics

• rules
• chains
• nat, mangle, filter
• forward, input, output chains
• the drawback: latency (or whatever the pseudo-sophisticated term is for "this crap is slow!")

Hardcore Command Line Action

ipset (iptables on steroids)

• if you want to store multiple IPs or ports and match against the collection by iptables; dynamically update iptables rules against IPs or ports without performance penalty; express complex IPs and ports based rulesets with one single iptables rule (to rule them all!), then ipset is for you.
• if you want hallucinations & paranoid delusions, then meth is for you.

why is ipset faster?
linear vs non linear

Geofencing

• choose a strategy: whitelist vs blacklist
• zone files
• ipdeny.com is your friend
• SIDEBAR ALERT ...

Who would win a tag team wrestling match btwn Indiana Jones & Superman vs Han Solo & The Hulk? (Which is all the more interesting b/c there'd only be 3 total people in the ring.)
(oh no, an apostrophe!)

ipset zone file

• IP country address block aggregation vs the dumber way. Aggregating multiple smaller blocks into larger IP prefixes increases performance.
• Why? Reduces: firewall rules (which thus inspects each IP packet faster), memory usage, network buffers, CPU load.

ipset zone file (p2)

• http://www.ipdeny.com/ipblocks/data/aggregated/
• USA total IP block allocations ~46000 vs ~15400 aggregated IP prefixes
• Australia ~6500 vs ~4300 aggregated
• Canada ~6900 vs ~3600 aggregated
• North Korea ~1M man army vs 1 Dennis Rodman visit

ipset zone file (p3)

• whitelisting hosts via zone files
• integrating ipset into your iptables
• lets check the logs for results

More Hardcore Command Line Action

why haiku deck sux

• piss poor editor, cant even format the text (font, alignment, size, nada!)
• cant event insert list entries, can only add
• raises my BP (w/o any of the benefits of narcotics)
• makes me want to buy implements of death as pictured here
• just another overrated slide slow tool (see? i want #5 to be #3 but cant insert!)

adios!