View previous topic :: View next topic |
Author |
Message |
odborg Tux's lil' helper
Joined: 12 Apr 2002 Posts: 89 Location: Aalborg, Denmark
|
Posted: Wed May 25, 2005 3:08 am Post subject: HOWTO: Blocking access to ports by country |
|
|
In short this HOWTO will show how you can block connections from one or more countries by using iptables and geoip, such as blocking all trafic on port 22 not originating from an IP in your country (currently less than 0,1% of login attempts on my home server are from my country).
0. Prereq:
I guess its a good idea if you know something about iptables and kernel compiling.
Personnaly I dont know too much about iptables. So you may get by easy as well.
1. Compiling in geoip support (you need to perform this step every time you upgrade your kernel or iptables):
Geoip support isnt standard in iptables so you need to manually add it.
First check that the extensions use flags is set:
Code: | emerge -pv iptables
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] net-firewall/iptables-1.2.11-r3 -debug +extensions -ipv6 -static 0 kB
|
Replace $VERSION with the current stable version and unpack the iptables source:
Code: | ebuild /usr/portage/net-firewall/iptables/iptables-$VERSION.ebuild unpack
|
Download and unpack the newest patch-o-matic-ng (not in portage) from netfilter.org. The netfilter project ceased to issue 'official' patch-o-matic-ng releases, so just get the newest (patch-o-matic-ng-20050523.tar.bz2 worked for me).
Code: | wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-$DATE.tar.bz2
tar xvjf patch-o-matic-ng-$DATE.tar.bz2
|
Now update your kernel and iptables:
Code: | cd patch-o-matic-ng-$DATE
IPTABLES_DIR=/var/tmp/portage/iptables-$VERSION/work/iptables-1.2.11/ KERNEL_DIR=/usr/src/linux ./runme geoip
cd /usr/src/linux
make oldconfig (select m when prompted about geoip)
make modules_install
ebuild /usr/portage/net-firewall/iptables/iptables-1.2.11-r3.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.2.11-r3.ebuild qmerge
|
2. Getting the database:
A database of relation between IPs and countries is needed:
Code: | wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
unzip GeoIPCountryCSV.zip
tar zxvf csv2bin-20041103.tar.gz
cd csv2bin && make && cd..
csv2bin/csv2bin GeoIPCountryWhois.csv
mkdir /var/geoip; cp geoipdb.bin geoipdb.idx /var/geoip (/var/geoip PATH IS HARD CODED IN THE SOURCE)
|
3. Setting up your firewall:
You should now have the necessary software. Next you need to add some rules to your firewall. The example below will:
1. Create a chain called GEOIP
2. Setup logging for connections outside Denmark with the prefix "GeoIP(Other):" in the GEOIP chain
3. Setup logging for connections inside Denmark with the prefix "GeoIP(DK):" in the GEOIP chain
4. Run incomming tcp traffic on port 22 of interface eth0 through GEOIP
Code: | iptables -N GEOIP
iptables -A GEOIP -m geoip ! --src-cc DK -j LOG --log-prefix 'GeoIP(Other):'
iptables -A GEOIP -m geoip --src-cc DK -j LOG --log-prefix 'GeoIP(DK):'
iptables -A INPUT -p tcp --dport 22 -i eth0 -j GEOIP
|
Multiple countries can be specified as comma seperated list (no spaces, and a max of 15 I think). Find your country code http://www.iso.org/iso/en/prods-services/iso3166ma/02iso-3166-code-lists/list-en1.htm.
If you just wish to drop packets add line below. If you dont wont to log access on port 22 remove the second and third in the example above. Actually I haven't tried dropping packets yet myself, but this should work - I think.
Code: | iptables -A GEOIP -m geoip ! --src-cc DK -j DROP |
I'm sure there are errors or missing steps in this HOWTO. Point them out and I will try to correct them.
Suggestions/tips are welcome. |
|
Back to top |
|
|
nephros Advocate
Joined: 07 Feb 2003 Posts: 2139 Location: Graz, Austria (Europe - no kangaroos.)
|
Posted: Wed May 25, 2005 7:23 am Post subject: |
|
|
Does GeoIP handle "international" addresses (org, com, info ...) as well? _________________ Please put [SOLVED] in your topic if you are a moron. |
|
Back to top |
|
|
Chaosite Guru
Joined: 13 Dec 2003 Posts: 540 Location: Right over here.
|
Posted: Wed May 25, 2005 9:35 am Post subject: |
|
|
nephros wrote: | Does GeoIP handle "international" addresses (org, com, info ...) as well? |
I don't think its based on domain names at all.
IP addresses, rather... |
|
Back to top |
|
|
odborg Tux's lil' helper
Joined: 12 Apr 2002 Posts: 89 Location: Aalborg, Denmark
|
Posted: Wed May 25, 2005 6:18 pm Post subject: |
|
|
Quote: | I don't think its based on domain names at all.
IP addresses, rather...
|
Exactly. Geoip uses a db over the location of an IP adress (since a tld such as .com may be anywhere you cannot use rev dns lookups). The fact that most .uk domains are located in the uk and .de in germany (and so on) is just a a matter of convenience.
For instance if you were to block connections from denmark (my location) it doesnt mather that i have both a .dk domain and a .com domain since both IPs are located in Denmark.
So .org,.info,.name,.com,.us,.de,.uk or whatever TLD doesnt really have any meaning to geoip, it just happends that the iptables geoip plugin use two letters to specify the origin of an IP and that these two letters often also is the use in a TLD name, |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|