    I think that whitelisting would produce a smaller rule.

    The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
    but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country

    Block all on port 80
    Allow port 80 if country = US,CA,GB,XL

    I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.

    right now I am working on a bash script to do this (I have echo's to debug)

    # Define chain to allow a country

    echo "iptables -N Allow-Country-$1"
    while read y
    echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
    done < $2
    echo "iptables -A Allow-Country-$1 -j DROP"

    echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1

    execute like:
    ./ Canada

    this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like

    I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.

    I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.

