any further updates re geoip i keep getting heaps from china
The instruction above still applies, AFAIK.
A stable/integrated package could be deployed about this important feature?
A little up for this feature. Which could be really useful for some kind of applications, IMVHO.
The biggest part of the development is about a complex User Interface.
I can do all the work under the hood if an aspiring developer wants to join me.
Could be nations, continents, ISPs just… firewall objects? IpFire behave quite like that.
http://wiki.ipfire.org/en/configuration/firewall/geoip-block
Any update on getting this to work with 7.3.1611?
ftp://195.220.108.108/linux/opensuse/ports/update/13.1/noarch/xtables-geoip-2015.08-2.3.1.noarch.rpm Does not exist. Is there an alternate download?
I downloaded and installed xtables-geoip-2015.08-66.4.noarch.rpm and still no luck. I’m getting “ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 72)”
modinfo xt_geoip
filename: /lib/modules/3.10.0-514.26.2.el7.x86_64/weak-updates/xtables-addons/xt_geoip.ko
alias: ipt_geoip
alias: ip6t_geoip
description: xtables module for geoip match
author: Samuel Jean
author: Nicolas Bouliane
license: GPL
rhelversion: 7.2
srcversion: 67CE5590C8BAA1B9CA961BB
depends:
vermagic: 3.10.0-327.36.2.el7.centos.plus.x86_64 SMP mod_unload modversions
modinfo xt_ndpi
modinfo: ERROR: Module xt_ndpi not found.
Thanks for your help…
AFAIK there is no other ready to use RPM.
You can try this repository (but I guess it will not work for the current kernel):
http://repo.iotti.biz/CentOS/7/x86_64/
Or compile it by yourself:
https://www.kutukupret.com/2016/06/08/centos-7-how-to-install-xtables-addons/
Giacomo,
Thanks for the info… I’ll compile my own…
Let us know if it works!
Michael,
So far I have had no luck at getting it to compile. The sticking point is the xt_TARPIT.o extension. This module is one I would definitely want to have.
“TARPIT captures and holds incoming TCP connections using no local per-connection resources.”
I’m was trying to compile with
xtables-addons-2.13
Kernel: 3.10.0-693.2.2.el7.x86_64
I believe the issue will be Redhat Enterprise kernels have an incompatible API.
It looks like I will downgrading back to Centos 6 until 2020 when support ends.
I just reviewed my instructions on a clean system and confirmed that GeoIP works perfectly on 7.3.
I can confirm that the tarpit module doesn’t work by default with the following error:
xt_TARPIT: disagrees about version of symbol ip6_dst_hoplimit
xt_TARPIT: Unknown symbol ip6_dst_hoplimit (err -22)
I suggest you to try to centosplus kernel (I will do soon).
Updated instructions:
yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.2.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable lux
shorewall show -f capabilities > /etc/shorewall/capabilities
The centosplus kernel has the same problem/error of the standard kernel.
EDIT:
I compiled a new kmod-xtables-addons and the tarpit module works as expected.
@kfarmer are you interested in testing the kmod?
Sure, I’ll be happy to test it. Send me a link.
Atfer using your update instructions, I tested on a clean system and GeoIP loads on 7.4 with the Centosplus kernel and the 3.10.0-693.2.2.el7.x86_64 kernel.
No TARPIT. In /etc/shorewall/capabilities it shows TARPIT_TARGET=
I guess I need your new kmod.
Please install on a clean machine (or remove the package from lux repo).
Re-run shorewall show -f capabilities > /etc/shorewall/capabilities
after install.
Updated instructions:
yum install https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm
yum install xtables-addons akmod-xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.3.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable rpmfusion-free-updates
shorewall show -f capabilities > /etc/shorewall/capabilities