Iptables GeoIP support

Preliminary howto to add GeoIP support to firewall, to block traffic by country (to/from selected countries).
Be sure the system is updated before beginning.

Enable epel if not already installed:

yum --enablerepo=extras install epel-release
eorepo centos-base centos-updates nethserver-base nethserver-updates

Install pre-requisites:

yum --enablerepo=epel install perl-Text-CSV_XS unzip

Download tar.gz containing my work (I’ll make an rpm package if there’s interest) and extract files:

wget http://nethservice.nethesis.it/nethserver-geoip.tar.gz
tar -zxvf nethserver-geoip.tar.gz -C /

Install kernel modules:

yum localinstall /tmp/xtables-addons-1.47.1-2.el6.x86_64.rpm

Download GeoIP database (a cron job is installed to automate download every month):

/usr/local/bin/geoip_update.sh

Use custom templates to add shorewall rules to block countries, following the docs:
http://shorewall.net/ISO-3661.html
Be sure to run shorewall restart after expanding the template:

expand-template /etc/shorewall/rules
shorewall restart

Example:

# cat /etc/e-smith/templates-custom/etc/shorewall/rules/55geoip
# block pings to the United Kingdom
DROP:info          $FW          net:^[GB] icmp

Feedback is important, thank you in advance.

7 Likes

Will be great!
Sophos UTM (and others I think, Endian UTM doesn’t have :wink: ) has this, configurable from GUI.

Gabriel

Great Feature!!! :clap::clap::clap::clap::clap::clap::clap::clap::clap::clap::clap:

I’d like try it really soon… thanks for your work!

IIRC, @ArchParks asked for this feature in the past.

This will be cool!

I ran through this and got stuck at this point:
“Be sure to run shorewall restart after expanding the template:”
“cat /etc/e-smith/templates-custom/etc/shorewall/rules/55geoip”

I don’t see that file or that directory? I end up with a directory called “/etc/e-smith/templates-custom” but nothing below that. Am I supposed to create a directory called “/etc/e-smith/templates-custom/etc/shorewall/rules/55geoip”? or a file called “55geoip” in a directory called “/etc/e-smith/templates-custom/etc/shorewall/rules/”

Thanks!

Arch

A file named 55geoip in a directory named /etc/e-smith/templates-custom/etc/shorewall/rules/.

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/rules/
echo "DROP:info          $FW          net:^[GB] icmp" >/etc/e-smith/templates-custom/etc/shorewall/rules/55geoip

Maybe next week, I hope to have an updated howto that will offer full geoip block except a web interface.

Thanks …I’m getting closer!
I was trying to get the format for the 55geoip file and I found this site: http://shorewall.net/ISO-3661.html

In their instructions, they show it formated link this:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DROP:info net:[1] dmz tcp 25

But in your example above, there seems like less information and it sin a different order than above:

DROP:info $FW net:[2] icmp

Questions:

  1. Can you give an example of one line that would block inbound traffic to port 3389 from county CANADA?
  2. Ditto block traffic to all port from country US?

Thanks!


  1. A1,A2 ↩︎

  2. GB ↩︎

DROP:info net:^[CA] loc tcp 3389
DROP net:^[US] loc

man shorewall-rules for details

Thank you very much for your tests.

I’d like to bump :boom: this discussion, is there any other feedback? @ArchParks @mabeleira @GG_jr

Very interesting, perhaps include it in NetherServer itself. I know when I replace my last Zentyal box, that’s being used as a gateway; this is sure to be one of the first things I add. As I’m tired of seeing my logs filled with relentless attempts to login from China and Russia.

2 Likes

I have implemented this as per the instructions and I get the following error message:

“ERROR: A country-code require GeoIP Match in your kernel and iptables”

Any thought as to what I may have missed and how to fix it?


  1. GB ↩︎

It seems that the geoip kernel module didn’t load. Check /var/log/messages for errors please. Maybe use the command dmesg to see kernel messages.

HI @filippo_carletti,

I have looked in /var/log/messages as well as /var/log/dmesg and there is no errors relating to GeoIP. Are there any other log files the errors may appear in?

While I can’t test geoip right now, I can guess what’s happening.
It’s probably due to using 6.7 while the rpm is for 6.5 or 6.6 (I don’t remember).
Please confirm that

$ modinfo xt_geoip
ERROR: modinfo: could not find module xt_geoip

Then move kernel modules to the current kernel:

mv /lib/modules/2.6.32-504.30.3.el6.x86_64/extra/* /lib/modules/$(uname -r)/extra/
depmod -a

Confirm with modinfo xt_geoip command above that the module is available.

I’ll rebuild the package for 6.7 as time permits.

1 Like

That helped to fix the issue @filippo_carletti! Thanks for the help!

I am on 7.2 RC1 and try to install the GeoIP support. Finished with an error

ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 89)
And the shorewall stopped.

Any Solution for that?

Have you installed nDPI? You can’t have both ATM. I plan to work on making them live together, but not soon.

ah okay, then i will also stop with my tests. and sorry for the crosspost :flushed:

Question: The Databases for the Geoip are installed, also the geoip folders. Normaly it should be possible to use them with iptable direct, right? If i do it into iptable that way:

iptables -I INPUT 2 -m state --state NEW -m geoip ! --source-country XX,XX,XX -j DROP

The XX,XX,XX are only placeholders

it should be work. what do you think?