Iptables GeoIP for NethServer 7

filippo_carletti · April 8, 2016, 8:18pm

Brief instructions to add GeoIP support to iptables in NethServer 7.
Thanks to Luigi Iotti for the packages (http://www.iotti.biz/) and to opensuse for the db.

yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install ftp://195.220.108.108/linux/opensuse/ports/update/13.1/noarch/xtables-geoip-2015.08-2.3.1.noarch.rpm
eorepo base updates extras epel nethserver-base nethserver-updates

To create firewall rules using countries, follow the howto for 6:

hucky · November 2, 2016, 12:30pm

hmm, maybe also here it is right:

I am on 7.2 RC1 and try to install the GeoIP support. Finished with an error

ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 89)
And the shorewall stopped.

Any Solution for that?

giacomo · November 2, 2016, 1:33pm

Never tested, but you need to run the standard kernel, not the one with nDPI support (kernel-lt).

P.S. Please do not cross-post

hucky · January 31, 2017, 9:13am

anyone use this in NethServer release 7.3.1611 (Final)? did it work?

pleasetryme · June 6, 2017, 2:42pm

any further updates re geoip i keep getting heaps from china

filippo_carletti · June 6, 2017, 2:55pm

The instruction above still applies, AFAIK.

pike · June 6, 2017, 3:29pm

A stable/integrated package could be deployed about this important feature?

alefattorini · June 6, 2017, 3:50pm

@filippo_carletti @davide_marini do you see any drawbacks? Is it worth doing some work on it?

pike · July 25, 2017, 11:16am

A little up for this feature. Which could be really useful for some kind of applications, IMVHO.

filippo_carletti · July 25, 2017, 12:02pm

The biggest part of the development is about a complex User Interface.
I can do all the work under the hood if an aspiring developer wants to join me.

pike · July 25, 2017, 12:37pm

Could be nations, continents, ISPs just… firewall objects? IpFire behave quite like that.
http://wiki.ipfire.org/en/configuration/firewall/geoip-block

kfarmer · September 3, 2017, 11:23pm

Any update on getting this to work with 7.3.1611?
ftp://195.220.108.108/linux/opensuse/ports/update/13.1/noarch/xtables-geoip-2015.08-2.3.1.noarch.rpm Does not exist. Is there an alternate download?

I downloaded and installed xtables-geoip-2015.08-66.4.noarch.rpm and still no luck. I’m getting “ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 72)”

modinfo xt_geoip
filename: /lib/modules/3.10.0-514.26.2.el7.x86_64/weak-updates/xtables-addons/xt_geoip.ko
alias: ipt_geoip
alias: ip6t_geoip
description: xtables module for geoip match
author: Samuel Jean
author: Nicolas Bouliane
license: GPL
rhelversion: 7.2
srcversion: 67CE5590C8BAA1B9CA961BB
depends:
vermagic: 3.10.0-327.36.2.el7.centos.plus.x86_64 SMP mod_unload modversions

modinfo xt_ndpi
modinfo: ERROR: Module xt_ndpi not found.

Thanks for your help…

giacomo · September 4, 2017, 9:39am

AFAIK there is no other ready to use RPM.

You can try this repository (but I guess it will not work for the current kernel):
http://repo.iotti.biz/CentOS/7/x86_64/

Or compile it by yourself:
https://www.kutukupret.com/2016/06/08/centos-7-how-to-install-xtables-addons/

kfarmer · September 4, 2017, 4:14pm

Giacomo,

Thanks for the info… I’ll compile my own…

giacomo · September 5, 2017, 3:13pm

Let us know if it works!

pike · September 18, 2017, 1:36pm

@kfarmer hi, sorry for bugging you. Have you any kind of news?

alefattorini · September 19, 2017, 1:38pm

@pike I reply to you quoting Filippo.

@areguera @stephdl @dev_team anyone interested?

kfarmer · September 19, 2017, 1:46pm

Michael,

So far I have had no luck at getting it to compile. The sticking point is the xt_TARPIT.o extension. This module is one I would definitely want to have.

“TARPIT captures and holds incoming TCP connections using no local per-connection resources.”

I’m was trying to compile with
xtables-addons-2.13
Kernel: 3.10.0-693.2.2.el7.x86_64

I believe the issue will be Redhat Enterprise kernels have an incompatible API.

It looks like I will downgrading back to Centos 6 until 2020 when support ends.

filippo_carletti · September 19, 2017, 2:24pm

I just reviewed my instructions on a clean system and confirmed that GeoIP works perfectly on 7.3.
I can confirm that the tarpit module doesn’t work by default with the following error:

xt_TARPIT: disagrees about version of symbol ip6_dst_hoplimit
xt_TARPIT: Unknown symbol ip6_dst_hoplimit (err -22)

I suggest you to try to centosplus kernel (I will do soon).

Updated instructions:

yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.2.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable lux
shorewall show -f capabilities > /etc/shorewall/capabilities

filippo_carletti · September 19, 2017, 2:49pm

The centosplus kernel has the same problem/error of the standard kernel.

EDIT:
I compiled a new kmod-xtables-addons and the tarpit module works as expected.
@kfarmer are you interested in testing the kmod?