Gentoo IPTables Xtables-addons Block countries: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
m New page: ==WHY== Because there are kinda' tons of infected japan and pakistan computers which try to send spam to me ( or use me as a relay ). My postfix is set up to block relay but that still ha...
 
 
(3 intermediate revisions by the same user not shown)
Line 9: Line 9:
I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.
I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.


Step 1. Get the latest patch-o-matic from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack
Step 1. Get the latest xtables-addons from http://xtables-addons.sourceforge.net/ and unpack


Step 2. Find out what iptables version you have
Step 2. Go to your unpacked xtables-addons dir and do


<source lang="bash">
<source lang="bash">
emerge iptables -vp
./configure --with-xtlibdir=/lib/xtables # this is where my gentoo puts his modules
make
make install
</source>
</source>


Step 3. Get the source for your version, unpack and compile ( replace 1.4.3.2 with your version you got from above )
On my arm gentoo boxen I have this package masked which is needed for the next steps...
<source lang="bash">
echo "dev-perl/Text-CSV_XS **" >> /etc/portage/package.keywords
emerge Text-CSV_XS
</source>
 
Step 3. Get the ip->country database and set it up right.


<source lang="bash">
<source lang="bash">
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild unpack
mkdir ~/geoip
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild compile
cd ~/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
wget http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
tar -xjf geoip_src.tar.bz2 geoip_csv_iv0.pl runme.sh
cp -r var/geoip/* /var/geoip/
</source>
</source>


Step 4. Go to your unpacked patch-o-matic dir and do
runme.sh's contents:


<source lang="bash">
<source lang="bash">
./runme --download
#!/bin/bash -ex
IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.3.2/work/iptables-1.4.3.2 KERNEL_DIR=/usr/src/linux ./runme geoip
 
rm -Rf var
mkdir -p var/geoip/{BE,LE};
pushd var/geoip/BE;
../../../geoip_csv_iv0.pl -b ../../../GeoIPCountryWhois.csv;
popd;
pushd var/geoip/LE;
../../../geoip_csv_iv0.pl ../../../GeoIPCountryWhois.csv;
popd;
find var -print0 | sort -z | tar -T- --null --no-r --owner=root \
        --group=root -cvjf geoip_iv0_database.tar.bz2;
tar --no-r --owner=root --group=root -cvjf geoip_src.tar.bz2 \
        GeoIPCountryWhois.csv geoip_csv_iv0.pl runme.sh
</source>
</source>


Step 5. Go to /usr/src/linux and enable geoip as module and recompile ( I do make uImage because I'm using gentoo on an ARM arch here .. you don't need that stuff .. )
geoip_csv_iv0.pl's contents:
<source lang="perl">
#!/usr/bin/perl
#
#      Converter for MaxMind CSV database to binary, for xt_geoip
#      Copyright © CC Computer Consultants, 2008
#
#      Contact: Jan Engelhardt <jengelh@computergmbh.de>
#
#      Use -b argument to create big-endian tables.
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;


<source lang="bash">
my %country;
cd /usr/src/linux
my %names;
make menuconfig
my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
my $mode = "VV";
 
&Getopt::Long::Configure(qw(bundling));
&GetOptions("b" => sub { $mode = "NN"; });


# Symbol: NETFILTER_XT_MATCH_GEOIP[=m]
while (my $row = $csv->getline(*ARGV)) {
# Prompt: "geoip" match support
        if (!defined($country{$row->[4]})) {
# -> Networking support (NET [=y])
                $country{$row->[4]} = [];
-> Networking options 
                $names{$row->[4]} = $row->[5];
#    -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
        }
#      -> Core Netfilter Configuration
        my $c = $country{$row->[4]};
#      -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
        push(@$c, [$row->[2], $row->[3]]);
        if ($. % 4096 == 0) {
                print STDERR "\r\e[2K$. entries";
        }
}


make uImage && make modules && make modules_install
print STDERR "\r\e[2K$. entries total\n";
</source>


Step 6 . Install the newly patched iptables
foreach my $iso_code (sort keys %country) {
        printf "%5u ranges for %s %s\n",
                scalar(@{$country{$iso_code}}),
                $iso_code, $names{$iso_code};


<source lang="bash">
        open(my $fh, ">".uc($iso_code).".iv0");
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild install
        foreach my $range (@{$country{$iso_code}}) {
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild qmerge
                print $fh pack($mode, $range->[0], $range->[1]);
        }
        close $fh;
}
</source>
</source>
Examples at http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO-3.html


And you're done
And you're done

Latest revision as of 00:37, 17 January 2010

WHY

Because there are kinda' tons of infected japan and pakistan computers which try to send spam to me ( or use me as a relay ). My postfix is set up to block relay but that still has to check against dnsbl lists for each ip.

HOW

Use geoip with iptables !

I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.

Step 1. Get the latest xtables-addons from http://xtables-addons.sourceforge.net/ and unpack

Step 2. Go to your unpacked xtables-addons dir and do 

./configure --with-xtlibdir=/lib/xtables # this is where my gentoo puts his modules
make
make install

On my arm gentoo boxen I have this package masked which is needed for the next steps... 

echo "dev-perl/Text-CSV_XS **" >> /etc/portage/package.keywords
emerge Text-CSV_XS

Step 3. Get the ip->country database and set it up right. 

mkdir ~/geoip
cd ~/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
wget http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
tar -xjf geoip_src.tar.bz2 geoip_csv_iv0.pl runme.sh
cp -r var/geoip/* /var/geoip/

runme.sh's contents: 

#!/bin/bash -ex

rm -Rf var
mkdir -p var/geoip/{BE,LE};
pushd var/geoip/BE;
../../../geoip_csv_iv0.pl -b ../../../GeoIPCountryWhois.csv;
popd;
pushd var/geoip/LE;
../../../geoip_csv_iv0.pl ../../../GeoIPCountryWhois.csv;
popd;
find var -print0 | sort -z | tar -T- --null --no-r --owner=root \
        --group=root -cvjf geoip_iv0_database.tar.bz2;
tar --no-r --owner=root --group=root -cvjf geoip_src.tar.bz2 \
        GeoIPCountryWhois.csv geoip_csv_iv0.pl runme.sh

geoip_csv_iv0.pl's contents: 

#!/usr/bin/perl
#
#       Converter for MaxMind CSV database to binary, for xt_geoip
#       Copyright © CC Computer Consultants, 2008
#
#       Contact: Jan Engelhardt <jengelh@computergmbh.de>
#
#       Use -b argument to create big-endian tables.
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;

my %country;
my %names;
my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
my $mode = "VV";

&Getopt::Long::Configure(qw(bundling));
&GetOptions("b" => sub { $mode = "NN"; });

while (my $row = $csv->getline(*ARGV)) {
        if (!defined($country{$row->[4]})) {
                $country{$row->[4]} = [];
                $names{$row->[4]} = $row->[5];
        }
        my $c = $country{$row->[4]};
        push(@$c, [$row->[2], $row->[3]]);
        if ($. % 4096 == 0) {
                print STDERR "\r\e[2K$. entries";
        }
}

print STDERR "\r\e[2K$. entries total\n";

foreach my $iso_code (sort keys %country) {
        printf "%5u ranges for %s %s\n",
                scalar(@{$country{$iso_code}}),
                $iso_code, $names{$iso_code};

        open(my $fh, ">".uc($iso_code).".iv0");
        foreach my $range (@{$country{$iso_code}}) {
                print $fh pack($mode, $range->[0], $range->[1]);
        }
        close $fh;
}

And you're done

Retrieved from "https://wiki.d3xt3r01.tk//index.php?title=Gentoo_IPTables_Xtables-addons_Block_countries&oldid=346"