This is a little tutorial for adding GeoIP support to iptables in Debian Lenny. GeoIP maps real world locations to IP networks. With GeoIP support in iptables, you can restrict access to certian locations.
In my tutorial I will restrict access for countries, which are causing a security threat to hosted services. For short, ban the damn Chinese.
aptitude install libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev mkdir -p /var/geoip/LE /usr/src/GeoIP wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2 wget -O /usr/src/GeoIP/xtables-addons-1.21.tar.bz2 http://downloads.sourceforge.net/project/xtables-addons/1.21/xtables-addons-1.21.tar.bz2 cd /usr/src/GeoIP tar xf csv2bin-20041103.tar.gz tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl unzip GeoIPCountryCSV.zip tar xf xtables-addons-1.21.tar.bz2 cd xtables-addons-1.21 ./configure --with-xtlibdir=/lib/xtables make make install cd /usr/src/GeoIP/csv2bin make cd /var/geoip /usr/src/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv cd /var/geoip/LE perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv
Now we can add rules for keeping certian locations out.
iptables -N GEOIP_REJECT iptables -I GEOIP_REJECT -m geoip --src-cc CN -j REJECT iptables -I GEOIP_REJECT -m geoip --src-cc KR -j REJECT iptables -I GEOIP_REJECT -m geoip --src-cc KP -j REJECT iptables -I GEOIP_REJECT -m geoip --src-cc TW -j REJECT iptables -A INPUT -j GEOIP_REJECT
GeoIP is missing in paths below cd /var/geoip
Shouldn't it be modprobe xt_geoip?
Anyway, thank you!
No, xt_iprange is correct, but should be loaded automatically anyway.
The paths are fixed now, thanks!
Post new comment