On 4/18/20 1:05 AM, Norman Henderson wrote: > Here is what I finally got, I think it's complete but there may be some > gaps. Also see these references: > https://terminal28.com/how-to-block-countries-using-iptables-debian/ > https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/ > http://www.mailserverguru.com/iptables-geoip-blocking-ubuntu-16-04-18-04/ > https://stackoverflow.com/questions/54277943/converting-geolite2-data-for-use-with-xtables-geoip > https://github.com/mschmitt/GeoLite2xtables > > # Install GeoIP support for iptables > sudo su - > apt-get update && apt-get upgrade > apt-get install curl unzip perl iptables-dev pkg-config > xtables-addons-common xtables-addons-dkms \ > libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl > libgeoip1 > modprobe xt_geoip > # verify it's there > modinfo xt_geoip > # load at boot > echo "xt_geoip" >> /etc/modules > > # good idea to reboot, check for any errors, and "modinfo xt_geoip" once > more > > # Download & install the GeoLite2xtables conversion program > > cd /usr/local/src > wget https://github.com/mschmitt/GeoLite2xtables/archive/master.zip > unzip master && rm master.zip > mv GeoLite2xtables-master GeoLite2xtables > > #Set up an account at maxmind.com <http://maxmind.com>. They give you $5 > credit and charge $0.00001 per query so it's essentially free. Create a > key for > #the Edition GeoLite2-Country. On the downloads page, find the Country > database in CSV format and note the associated "Permalink". > #GeoLite2xtables already has that Permalink embedded. > # Don't install their geoipupdate program, it doesn't get CSV files, > only their proprietary ".mmdb" files. > > #create the license file for GeoLite2xtables, using your own key of course > cd /usr/local/src/GeoLite2xtables > echo "YOUR_LICENSE_KEY='asdfqxer1234'" >geolite2.license > > mkdir -p /usr/share/xt_geoip > > #create a script to do the entire download and convert for a new GeoIP > database > # (Feel free to embellish the script e.g. with some error checking) > cat <<EOF >create-GeoIP-db > cd /usr/local/src/GeoLite2xtables/ > ./00_download_geolite2 > ./10_download_countryinfo > cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv | > ./20_convert_geolite2 /tmp/CountryInfo.txt > > /usr/share/xt_geoip/GeoIP-legacy.csv > /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip > /usr/share/xt_geoip/GeoIP-legacy.csv > EOF > > chmod +x create-GeoIP-db > ./create-GeoIP-db > > # this should result in two downloads, a count of entries (almost > 400,000) and a list of entries per country. > # the directories /usr/share/xt_geoip/BE and ./LE should be populated > with many country files .ipv4 and .ipv6 > > # assuming it worked ok set it up to run weekly, Monday 5:05 AM (or > however often and whenever you wish) > > cat <<EOF >/etc/cron.d/create-GeoIP-db > # min hr dd mm dayofoweek user command > 5 5 * * 1 root /usr/local/src/GeoLite2xtables/create-GeoIP-db >>/var/log/create-GeoIP-db.log 2>&1 > EOF > > #NOW to test directly with iptables find a convenient chain and line > number in the existing rules where > #a new rule can be inserted, with proper effect and without locking > yourself out (if you are working by ssh) > > iptables -t filter -n -L |less > > #In my case, I did the following test to drop all traffic from China: > iptables -t filter -I INPUT 1 -m geoip --src-cc CN -j DROP > > #verify: > iptables -t filter -n -L |less > > #Setup for SHOREWALL firewall: > > cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.bak > sed -i "s/^GEOIPDIR=.*/GEOIPDIR=\/usr\/share\/xt_geoip\/LE/" > /etc/shorewall/shorewall.conf > > shorewall show capabilities | grep GEOIP > # should produce: Geo IP Match (GEOIP_MATCH): Available > > grep GEO /etc/shorewall/capabilities > # either the file doesn't exist (OK, it's optional, or do the following:) > shorewall show -f capabilities > /etc/shorewall/capabilities > # or if the file exists your grep should return GEOIP_MATCH=Yes > # if the result is not "Yes" you need to run the above command > > #At the location of your choice in /etc/shorewall/rules insert something > like (example): > DROP:debug Dirty:!^[CA,US] all+ > #NOTE: because the test is inverted (!) this will drop all traffic NOT > originating from the USA or Canada >
Thanks, Norm! I would add one more caveat - you must download and install the US database whether you use it or not -- Shorewall uses that database to check for the GEOIP capability. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
