Here is what I finally got, I think it's complete but there may be some
gaps. Also see these references:
https://terminal28.com/how-to-block-countries-using-iptables-debian/
https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/
http://www.mailserverguru.com/iptables-geoip-blocking-ubuntu-16-04-18-04/
https://stackoverflow.com/questions/54277943/converting-geolite2-data-for-use-with-xtables-geoip
https://github.com/mschmitt/GeoLite2xtables
# Install GeoIP support for iptables
sudo su -
apt-get update && apt-get upgrade
apt-get install curl unzip perl iptables-dev pkg-config
xtables-addons-common xtables-addons-dkms \
libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl
libgeoip1
modprobe xt_geoip
# verify it's there
modinfo xt_geoip
# load at boot
echo "xt_geoip" >> /etc/modules
# good idea to reboot, check for any errors, and "modinfo xt_geoip" once
more
# Download & install the GeoLite2xtables conversion program
cd /usr/local/src
wget https://github.com/mschmitt/GeoLite2xtables/archive/master.zip
unzip master && rm master.zip
mv GeoLite2xtables-master GeoLite2xtables
#Set up an account at maxmind.com. They give you $5 credit and charge
$0.00001 per query so it's essentially free. Create a key for
#the Edition GeoLite2-Country. On the downloads page, find the Country
database in CSV format and note the associated "Permalink".
#GeoLite2xtables already has that Permalink embedded.
# Don't install their geoipupdate program, it doesn't get CSV files, only
their proprietary ".mmdb" files.
#create the license file for GeoLite2xtables, using your own key of course
cd /usr/local/src/GeoLite2xtables
echo "YOUR_LICENSE_KEY='asdfqxer1234'" >geolite2.license
mkdir -p /usr/share/xt_geoip
#create a script to do the entire download and convert for a new GeoIP
database
# (Feel free to embellish the script e.g. with some error checking)
cat <<EOF >create-GeoIP-db
cd /usr/local/src/GeoLite2xtables/
./00_download_geolite2
./10_download_countryinfo
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |
./20_convert_geolite2 /tmp/CountryInfo.txt >
/usr/share/xt_geoip/GeoIP-legacy.csv
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip
/usr/share/xt_geoip/GeoIP-legacy.csv
EOF
chmod +x create-GeoIP-db
./create-GeoIP-db
# this should result in two downloads, a count of entries (almost 400,000)
and a list of entries per country.
# the directories /usr/share/xt_geoip/BE and ./LE should be populated with
many country files .ipv4 and .ipv6
# assuming it worked ok set it up to run weekly, Monday 5:05 AM (or however
often and whenever you wish)
cat <<EOF >/etc/cron.d/create-GeoIP-db
# min hr dd mm dayofoweek user command
5 5 * * 1 root /usr/local/src/GeoLite2xtables/create-GeoIP-db
>/var/log/create-GeoIP-db.log 2>&1
EOF
#NOW to test directly with iptables find a convenient chain and line number
in the existing rules where
#a new rule can be inserted, with proper effect and without locking
yourself out (if you are working by ssh)
iptables -t filter -n -L |less
#In my case, I did the following test to drop all traffic from China:
iptables -t filter -I INPUT 1 -m geoip --src-cc CN -j DROP
#verify:
iptables -t filter -n -L |less
#Setup for SHOREWALL firewall:
cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.bak
sed -i "s/^GEOIPDIR=.*/GEOIPDIR=\/usr\/share\/xt_geoip\/LE/"
/etc/shorewall/shorewall.conf
shorewall show capabilities | grep GEOIP
# should produce: Geo IP Match (GEOIP_MATCH): Available
grep GEO /etc/shorewall/capabilities
# either the file doesn't exist (OK, it's optional, or do the following:)
shorewall show -f capabilities > /etc/shorewall/capabilities
# or if the file exists your grep should return GEOIP_MATCH=Yes
# if the result is not "Yes" you need to run the above command
#At the location of your choice in /etc/shorewall/rules insert something
like (example):
DROP:debug Dirty:!^[CA,US] all+
#NOTE: because the test is inverted (!) this will drop all traffic NOT
originating from the USA or Canada
Enjoy! Norman
On Fri, Apr 17, 2020 at 3:42 PM Norman Henderson <norm.aud...@gmail.com>
wrote:
> Nevermind. Having fixed the xt_tables database files, or more likely
> because of an intervening reboot? Shorewall show capabilities now shows
> GeoIP Yes and accepts the relevant syntax: in my case a whitelist rather
> than blacklist, DROP:$LOG Dirty:!^[CA,US] all+
>
> For the record: most of the online instructions for setting up GeoIP with
> iptables are outdated; MaxMind changed their database format a few years
> ago.
>
> There is a conversion utility GeoLite2xtables referenced here:
> http://www.mailserverguru.com/iptables-geoip-blocking-ubuntu-16-04-18-04/
> which
> is also outdated in the sense that MaxMind (due to privacy laws) as of this
> year no longer makes the CSV country file freely downloadable.
>
> It's necessary to sign up for a (free) account. Although their own ".mmdb"
> format can be downloaded automatically and periodically (with an individual
> key and their geoipupdate tool), it looks like the CSV files are only
> available if you log in and download explicitly. Once you have their zip
> file and extract it however, the instructions work from there.
>
>
> The one that can be easily downloaded automatically
>
> On Fri, Apr 17, 2020 at 12:00 PM Norman Henderson <norm.aud...@gmail.com>
> wrote:
>
>> Just to update: the reboot went badly but for a different reason. It
>> appears the match rule resulting from the ipset was applied before any
>> other rules including a specific rule to allow me to ssh to the machine -
>> so I locked myself out. It's a hosted VM and I have no console access so
>> had to get the friend that hosts it to bail me out.
>>
>> I'm trying a different approach: GeoIP. Following a few sets of
>> instructions I got xt-geoip installed, it shows up in lsmod and modinfo.
>> There are warnings in the logs but several posts suggest they aren't
>> significant:
>> xt_geoip: loading out-of-tree module taints kernel
>> xt_geoip: module verification failed: signature and/or required key
>> missing - tainting kernel
>>
>> The database is present in the directory specified (GEOIPDIR).
>>
>> However: shorewall still complains there is no GeoIP support in the
>> kernel (confirmed by shorewall show capabilities). I do not currently have
>> any /etc/shorewall/capabilities file. If I do the following:
>> iptables -t filter -I Dirty2Fwall 8 -m geoip --src-cc CN -j DROP
>> I get a different error, Could not open /usr/share/xt_geoip/LE/CN.iv4
>> which is true, I have to sort out why the country files weren't unpacked
>> properly but at least iptables didn't object to the geoip match.
>>
>> Is shorewall just checking the base kernel capabilities without reference
>> to loaded modules? Could I fix that by creating and altering a capabilities
>> file?
>>
>>
>> On Tue, Apr 14, 2020 at 4:34 PM Tom Eastep <teas...@shorewall.net> wrote:
>>
>>> On 4/14/20 3:54 AM, Norman Henderson wrote:
>>> > Thank you Erich, that was the step I missed: dynamic zone. It's working
>>> > OK across shorewall stop/start, I will have to wait until tonight to
>>> try
>>> > a reboot.
>>> >
>>> > Tom, I have gone back to SAVE_IPSETS=Yes in shorewall.conf rather than
>>> > using the shorewall-init feature. Is there a reason to use one rather
>>> > than the other?
>>>
>>> If you use an ipset in /etc/shorewall[6]/stoppedrules, then you must use
>>> shorewall-init. Other than that, it is your choice.
>>>
>>> >
>>> > Also, is it OK to add entries using ipset add, which seems to be a lot
>>> > faster than shorewall add ?
>>>
>>> Absolutely.
>>>
>>> -Tom
>>> --
>>> Tom Eastep \ Q: What do you get when you cross a mobster
>>> Shoreline, \ with an international standard?
>>> Washington, USA \ A: Someone who makes you an offer you
>>> http://shorewall.org \ can't understand
>>> \________________________________________
>>>
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
