netfilter’s geoip matchJune 19, 2006
netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. To learn more about iptables/netfilter you should visit http://www.netfilter.org.
what is iptables/netfilter’s geoip match?
This framework is modular and easily let you extend the features. This is exactly what geoip is : an extension to iptables/netfilter that allows you to filter, nat or mangle packets based on the country’s destination or provenance.
There’s some minor steps to go through before using this match.
The geoip’s database
In order to efficiently filter on a country basis, we obviously need a subnet-to-country database. Fortunately, there’s a free one available at http://www.maxmind.com.
However, this database is big and unsorted. Loading this database into memory would eat up too much ressources than what we really need. Also, seeking through unsorted database takes ages. This is why you need a tool called ‘csv2bin’ to strip, sort and compile your database.
csv2bin is available at http://people.netfilter.org/peejix/geoip/tools/
An alternative to creating your own up-to-date database is downloading a prebuilt but possibly outdated database from http://people.netfilter.org/peejix/geoip/database/.
You’ll now have to copy `geoipdb.bin’ and its index file `geoipdb.idx’ into /var/geoip/. The reason on why we do this is that iptables’s geoip shared library is statically reading both files from that path. If you ever need to change that path, take a look at extensions/libipt_geoip.c and suit it for your needs.
Just like other “official” patches, geoip is part of patch-o-matic-ng. As a new match, we’ve put it into Testing state and Extra repository, so start ‘runme’ accordingly.
#> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
#> cd patch-o-matic-ng
#> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
Do not forget to :
o recompile iptables;
o enable geoip into your kernel config;
o recompile your kernel or compile geoip as a module;
o boot the new kernel or modprobe ipt_geoip.
NOTE: If you had to change the database path into libipt_geoip.c, you MUST do it before compiling.
If you want to block all Anonymous Proxies and Satellite Providers, you can enter something like that: (I assume that your linux box acts as a router, else you can provide `-A INPUT’ instead.)
#> iptables -A FORWARD -m geoip –src-cc A1,A2 -j DROP
If you only plan to accept connections from your country.
#> iptables -P INPUT DROP
#> iptables -A INPUT -m geoip ! –src-cc CA -j DROP
Some people likes to know which countries are hitting obscure or well-known security risk ports.
Create a dedicated accounting custom chain
#> iptables -N SSH_GEOIP
Feed that chain with your targeted countries (below are for exemple means only)
#> iptables -A SSH_GEOIP -m geoip –src-cc CA
#> iptables -A SSH_GEOIP -m geoip –src-cc DE
#> iptables -A SSH_GEOIP -m geoip –src-cc US
#> iptables -A SSH_GEOIP -m geoip –src-cc JP
#> iptables -A SSH_GEOIP -m geoip –src-cc FR
The sixth rule will match all other countries
#> iptables -A SSH_GEOIP -m geoip ! –src-cc CA,DE,US,JP,FR
Then call the chain for a specific situation
#> iptables -A INPUT -p tcp –dport 22 -j SSH_GEOIP
This patch has been provided for fun and as a challenge only. Please do not consider this patch as an anti-spam approach. There is much better uses of this patch than such a racist-routing.
Charles Michaud, for giving us the project’s idea.
Arthur Ouellet, for giving us ideas and bugs report.
Martin Josefsson, for answering our technicals questions.
Tarek W. Said for jiggling his butt when we succeed.
Sean Donner for testing and writing the geoip_update.sh
and all the netfilter core team, you’re working like a big mama.