geoip_iptables_blocking
This is an old revision of the document!
GeoIP for use with iptables (Debian 8 Jessie)
install necessary software
apt-get install libtext-csv-xs-perl xtables-addons-common
create a weekly cronjob
vi /etc/cron.weekly/maxmind #!/bin/sh GEOIP_MIRROR="http://geolite.maxmind.com/download/geoip/database" TMPDIR=$(mktemp -d /tmp/geoipupdate.XXXXXXXXXX) wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPv6.csv.gz" -O "${TMPDIR}/GeoIPv6.csv.gz" wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPCountryCSV.zip" -O "${TMPDIR}/GeoIPCountryCSV.zip" gunzip -fdc ${TMPDIR}/GeoIPv6.csv.gz >> ${TMPDIR}/GeoIPv6.csv unzip -o -d ${TMPDIR} ${TMPDIR}/GeoIPCountryCSV.zip mkdir -p /usr/share/xt_geoip #perl /usr/share/doc/xtables-addons-2.3/geoip/xt_geoip_build -D /usr/share/xt_geoip ${TMPDIR}/GeoIP*.csv perl /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${TMPDIR}/GeoIP*.csv [ -d "${TMPDIR}" ] && rm -rf $TMPDIR
make it executable
chmod +x /etc/cron.weekly/maxmind
insert geoip rules into iptables ruleset
iptables -A INPUT -m state --state NEW -m geoip --src-cc CH -m tcp -p tcp --dport 22 -j ACCEPT
Log anything else
iptables -A INPUT -p tcp -m state --state NEW -m geoip ! --source-country CH -m tcp --dport 22 -j LOG --log-prefix "iptables geoip denied: " --log-level 7
Bug hunting
(was on an arm machine, Linux hostname 3.16.0-4-kirkwood #1 Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) armv5tel GNU/Linux)
cat /proc/net/ip_tables_matches limit conntrack conntrack conntrack multiport udplite udp tcp icmp
no geoip, thats not cool.
Solution:
aptitude install module-assistant *** time to get a cup of coffee *** module-assistant --verbose --text-mode auto-install xtables-addons
failed, damn
well then we take a little barefoot walk
apt-get install git autoconf automake libtool xutils-dev git clone git://git.code.sf.net/p/xtables-addons/xtables-addons cd xtables-addons libtoolize --force aclocal autoheader autoconf autoreconf -i ./configure sudo make install sudo depmod
geoip_iptables_blocking.1457450986.txt.gz · Last modified: 2016/03/08 15:29 by admin