Packages to install: xtables-addons-common xtables-addons-source module-assistant libtext-csv-xs-perl (for the CSV to binary converter) Build modules for current kernel: # module-assistant auto-install xtables-addons-source The version in squeeze did not include the scripts required to build the database from the GeoIP CSV data. Use the script in v1.28 source tarball. GeoIP database should be put in /usr/share/xt_geoip/{LE,BE}/... LE/BE depends on system arch (little or big endian). This directory is not created by debian packages, need to create yourself. Script usage: # ./geoip_download.sh [..downloads GeoIPCountryCSV.zip and unzips -> GeoIPCountryWhois.csv..] # ./geoip_build_db.pl -D /usr/share/xt_geoip/LE < GeoIPCountryWhois.csv Verify it works? # iptables -I INPUT ! -i lo -m geoip ! --src-cc ID,US -j DROP # iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere Source countries: ! ID,US dynamic all -- anywhere anywhere ctstate INVALID,NEW [...snip...] Integration with shorewall Let's call this action "DropFgn" (short for "drop foreign"). This is /etc/shorewall/actions # Shorewall version 4 - Actions File # # /etc/shorewall/actions # ############################################################################### #ACTION COMMENT (place '# ' below the 'C' in comment followed by # a comment describing the action) DropFgn # Drop foreign packets. Xenophobia in action. Then an empty /etc/shorewall/action.DropFgn # touch /etc/shorewall/action.DropFgn Then a Perl script(?)/module(?)/whatever in /etc/shorewall/DropFgn use Shorewall::Chains; if ($level ne '') { log_rule_limit($level, $chainref, 'DropFgn', 'DROP', '', $tag, 'add', '-m geoip ! --src-cc US,ID'); } add_rule($chainref, '-m geoip ! --src-cc US,ID -j DROP'); 1; # vim: ft=perl Then add in /etc/shorewall/rules: ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP DropFgn:info net $FW That will log dropped packets with info level. If no logging is desired just use "DropFgn". The restriction on the input interface is not necessary because by setting the source to "net" and the dest to "$FW" it is put in the "net2fw" chain which is not used if the packet is received over the loopback interface. Links:
Bonus! How to do it on Ubuntu 10.04 LucidScripts not included, use the ones in the 1.28 source package (see above). Only difference is location is /var/geoip/{LE,BE} |
Random Notes >