I have a mail server that is under attack by spammers. I would like to block all country ip ranges except for those assigned to the US. The problem I see is that you can't create an acl that big without killing the router. So is there a way to craft an acl to accomplish this task?
Any help appreciated.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Not really. You could in theory attempt to build an access-list based on assignments by the RIRs. With the IPv4 space essentially depleted, there is a lot of IP space that is traded among RIRs and this trend is increasing. Companies with large allocations spanning multiple countries are a problem as well, as are VPNs. You would need to update the access list very frequently, it wouldn't scale well. Various companies attempt to do geolocation based on IP address such as maxmind.com, but their data isn't always accurate. See mild example below.
Dipping MaxMind's database or a similar service, most of which are only available on a paid subscription basis, is best deployed on the server, where each connection is tested by querying the database. This is typically done by DNS lookup on the IP to the geolocation server. Keeping an ACL on the router would result in a very large ACL as well as requiring frequent updates.
Mild example of IP geolocation gone wrong: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/