Iptables and Blocking by Region

I'm tired of seeing certain network ranges always peppering my linux server, so I'm going to experiment with blocking via region.  I've seen several hints/tips but I want to do this with the server not taking too much of a hit.  Note that I'm mainly concerned with traffic that I typically allow, such as port 80.  I could block via apache, which may well work, but I also want to investigate using iptables.

So far, I've found:

1. http://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
2. http://www.parkansky.com/china.htm
3. http://www.webhostingtalk.com/showthread.php?t=1146401 (and http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/)
4. I could possibly use tcpwrappers as well, but I'm not sure tcpwrappers can handle the amount of ranges I want to block.

Solution #1 seems a bit too hackish.  As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).

Solution #2 might not be so bad, as it leverages the htaccess function.  I've no idea how performance-intensive this method is, but it may be worth looking into.  A con is that I also run a mail server...this method won't work for mail.

Solution #3 looks good.  This method uses iptables and ipset.  Ipset lessens the performance hit when blocking thousands of IPs.

So, before hitting the bed, I decided to give solution #3 a shot.  I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04).  I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:

root@li7-220:~# ipset create feckoff hash:ip
ipset v6.11: Kernel error received: Invalid argument

I do not have full control over my host (it is running on a linode, and the modules are locked down).  I may not be able to use this, but I'll continue to investigate.

EDIT:  Well, I'll be damned!  I got the command to take.  I had to select a more current kernel to boot up (I was using a depreciated Linode kernel).  I guess I should check that more often.  I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.

PSAD

I decided to give PSAD a spin on the Linode since I've never tried it before.  I'm impressed at the features of  it.  I've been running it maybe a bit over a month.  I get alerts whenever PSAD detects a scan or when it logs and drops specific traffic, so I'm aware of what's going on (instead of having to check my firewall logs).  One of the main reasons I decided to give PSAD a spin is because my fwanalog setup stopped working due to a code bug that affects Ubuntu v12.04.

One of the things I've been doing (I used to do this in the past) is I send my dropped logs to Dshield.org (or isc.sans.org).  One of PSAD's features enables me to send the logs, vs. using third-party or Dshield apps.

I noticed when sending my logs that I'm catching bidirectional traffic and my server IP is being flagged as a result.  Why?  I was blocking 118.0.0.0/8 (a large segment of APAC).  I was not only blocking but sending resets, which requires my firewall to send resets when means my IP is talking back, even though it's ending the session.  My firewall logs it as a drop.  To fix this, I just configured the firewall to drop the traffic, although I could've just changed the --log-prefix tag to something other than DROP, which by default PSAD looks for.  I'll monitor the Dshield logs to see how PSAD is now reporting.