Iptables GeoIP for NethServer 7

pleasetryme · June 6, 2017, 2:42pm

any further updates re geoip i keep getting heaps from china

filippo_carletti · June 6, 2017, 2:55pm

The instruction above still applies, AFAIK.

pike · June 6, 2017, 3:29pm

A stable/integrated package could be deployed about this important feature?

alefattorini · June 6, 2017, 3:50pm

@filippo_carletti @davide_marini do you see any drawbacks? Is it worth doing some work on it?

pike · July 25, 2017, 11:16am

A little up for this feature. Which could be really useful for some kind of applications, IMVHO.

filippo_carletti · July 25, 2017, 12:02pm

The biggest part of the development is about a complex User Interface.
I can do all the work under the hood if an aspiring developer wants to join me.

pike · July 25, 2017, 12:37pm

Could be nations, continents, ISPs just… firewall objects? IpFire behave quite like that.
http://wiki.ipfire.org/en/configuration/firewall/geoip-block

kfarmer · September 3, 2017, 11:23pm

Any update on getting this to work with 7.3.1611?
ftp://195.220.108.108/linux/opensuse/ports/update/13.1/noarch/xtables-geoip-2015.08-2.3.1.noarch.rpm Does not exist. Is there an alternate download?

I downloaded and installed xtables-geoip-2015.08-66.4.noarch.rpm and still no luck. I’m getting “ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 72)”

modinfo xt_geoip
filename: /lib/modules/3.10.0-514.26.2.el7.x86_64/weak-updates/xtables-addons/xt_geoip.ko
alias: ipt_geoip
alias: ip6t_geoip
description: xtables module for geoip match
author: Samuel Jean
author: Nicolas Bouliane
license: GPL
rhelversion: 7.2
srcversion: 67CE5590C8BAA1B9CA961BB
depends:
vermagic: 3.10.0-327.36.2.el7.centos.plus.x86_64 SMP mod_unload modversions

modinfo xt_ndpi
modinfo: ERROR: Module xt_ndpi not found.

Thanks for your help…

giacomo · September 4, 2017, 9:39am

AFAIK there is no other ready to use RPM.

You can try this repository (but I guess it will not work for the current kernel):
http://repo.iotti.biz/CentOS/7/x86_64/

Or compile it by yourself:
https://www.kutukupret.com/2016/06/08/centos-7-how-to-install-xtables-addons/

kfarmer · September 4, 2017, 4:14pm

Giacomo,

Thanks for the info… I’ll compile my own…

giacomo · September 5, 2017, 3:13pm

Let us know if it works!

pike · September 18, 2017, 1:36pm

@kfarmer hi, sorry for bugging you. Have you any kind of news?

alefattorini · September 19, 2017, 1:38pm

@pike I reply to you quoting Filippo.

@areguera @stephdl @dev_team anyone interested?

kfarmer · September 19, 2017, 1:46pm

Michael,

So far I have had no luck at getting it to compile. The sticking point is the xt_TARPIT.o extension. This module is one I would definitely want to have.

“TARPIT captures and holds incoming TCP connections using no local per-connection resources.”

I’m was trying to compile with
xtables-addons-2.13
Kernel: 3.10.0-693.2.2.el7.x86_64

I believe the issue will be Redhat Enterprise kernels have an incompatible API.

It looks like I will downgrading back to Centos 6 until 2020 when support ends.

filippo_carletti · September 19, 2017, 2:24pm

I just reviewed my instructions on a clean system and confirmed that GeoIP works perfectly on 7.3.
I can confirm that the tarpit module doesn’t work by default with the following error:

xt_TARPIT: disagrees about version of symbol ip6_dst_hoplimit
xt_TARPIT: Unknown symbol ip6_dst_hoplimit (err -22)

I suggest you to try to centosplus kernel (I will do soon).

Updated instructions:

yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.2.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable lux
shorewall show -f capabilities > /etc/shorewall/capabilities

filippo_carletti · September 19, 2017, 2:49pm

The centosplus kernel has the same problem/error of the standard kernel.

EDIT:
I compiled a new kmod-xtables-addons and the tarpit module works as expected.
@kfarmer are you interested in testing the kmod?

kfarmer · September 19, 2017, 5:19pm

Sure, I’ll be happy to test it. Send me a link.

kfarmer · September 19, 2017, 6:57pm

Atfer using your update instructions, I tested on a clean system and GeoIP loads on 7.4 with the Centosplus kernel and the 3.10.0-693.2.2.el7.x86_64 kernel.

No TARPIT. In /etc/shorewall/capabilities it shows TARPIT_TARGET=
I guess I need your new kmod.

filippo_carletti · September 20, 2017, 8:16am

Download:
https://nethservice.nethesis.it/kmod-xtables-addons-2.12-1.el7.centos.3.10.0_514.16.1.el7.x86_64.x86_64.rpm

Please install on a clean machine (or remove the package from lux repo).
Re-run shorewall show -f capabilities > /etc/shorewall/capabilities after install.

filippo_carletti · May 3, 2018, 5:12pm

Updated instructions:

yum install https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm
yum install xtables-addons akmod-xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.3.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable rpmfusion-free-updates
shorewall show -f capabilities > /etc/shorewall/capabilities