Iptables & GeoIP on Debian squeeze

Posted May 9 2011, 16:28 by William Shallum [updated Jul 5 2015, 08:21]

Packages to install: xtables-addons-common xtables-addons-source module-assistant libtext-csv-xs-perl (for the CSV to binary converter)

Build modules for current kernel:

# module-assistant auto-install xtables-addons-source

The version in squeeze did not include the scripts required to build the database from the GeoIP CSV data. Use the script in v1.28 source tarball.

GeoIP database should be put in /usr/share/xt_geoip/{LE,BE}/… LE/BE depends on system arch (little or big endian). This directory is not created by debian packages, need to create yourself.

Script usage:

# ./geoip_download.sh
[..downloads GeoIPCountryCSV.zip and unzips -> GeoIPCountryWhois.csv..]
# ./geoip_build_db.pl -D /usr/share/xt_geoip/LE < GeoIPCountryWhois.csv

Verify it works?

# iptables -I INPUT ! -i lo -m geoip ! --src-cc ID,US -j DROP
# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            Source countries: ! ID,US 
dynamic    all  --  anywhere             anywhere            ctstate INVALID,NEW 
[...snip...]

Integration with shorewall

Let’s call this action “DropFgn” (short for “drop foreign”). This is /etc/shorewall/actions

# Shorewall version 4 - Actions File
#
# /etc/shorewall/actions
#
###############################################################################
#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
#                           a comment describing the action)
DropFgn             # Drop foreign packets. Xenophobia in action.

Then an empty /etc/shorewall/action.DropFgn

# touch /etc/shorewall/action.DropFgn

Then a Perl script(?)/module(?)/whatever in /etc/shorewall/DropFgn

use Shorewall::Chains;
if ($level ne '') {
        log_rule_limit($level, $chainref, 'DropFgn', 'DROP', '', $tag, 'add', '-m geoip ! --src-cc US,ID');
}
add_rule($chainref, '-m geoip ! --src-cc US,ID -j DROP');
1;
# vim: ft=perl

Then add in /etc/shorewall/rules:

#############################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP

DropFgn:info    net             $FW

That will log dropped packets with info level. If no logging is desired just use “DropFgn”.

The restriction on the input interface is not necessary because by setting the source to “net” and the dest to “$FW” it is put in the “net2fw” chain which is not used if the packet is received over the loopback interface.

Links:

• http://xtables-addons.sourceforge.net/
• http://people.netfilter.org/acidfu/geoip/howto/
• http://shorewall.net/Actions.html

Bonus! How to do it on Ubuntu 10.04 Lucid

Scripts not included, use the ones in the 1.28 source package (see above). Only difference is location is /var/geoip/{LE,BE}

• Prev: ActionMailer embedding images in HTML email
• Next: Apache as proxy (or: how to download podcasts with wget and get it into iTunes)