====== ip reputation blocklist ======

ipset 

https://confluence.jaytaala.com/display/TKB/Using+ipset+to+block+IP+addresses+-+firewall

blacklist
https://github.com/kravietz/blacklist-scripts


====== iptables-mit-ipset-blocklist ======



https://peters-christoph.de/blog/server/iptables-mit-ipset-blocklist/


====== vxlan use case ======

  wireguard mtu 1420
  
  vxlan mtu 1350 (overhead 50)

  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN  -o br-lan -j TCPMSS --set-mss 1200
  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN  -o br-overlay02 -j TCPMSS --set-mss 1200 


====== iptables start on boot ======

https://serverfault.com/questions/914493/ubuntu-18-04-doesnt-load-iptables-rules-after-reboot


====== geo blocking ======


You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:

  apt-get install xtables-addons-common
  mkdir /usr/share/xt_geoip
  apt-get install libtext-csv-xs-perl unzip
  /usr/lib/xtables-addons/xt_geoip_dl
  /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv

  iptables -A FORWARD -m geoip --src-cc XK -p tcp -m tcp --dport 443 -j ACCEPT