Gentoo IPTables Xtables-addons Block countries: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
 
Line 9: Line 9:
I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.
I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.


Step 1. Get the latest patch-o-matic from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack
Step 1. Get the latest xtables-addons from http://xtables-addons.sourceforge.net/ and unpack


Step 2. Find out what iptables version you have
Step 2. Go to your unpacked xtables-addons dir and do


<source lang="bash">
<source lang="bash">
emerge iptables -vp
./configure --with-xtlibdir=/lib/xtables # this is where my gentoo puts his modules
make
make install
</source>
</source>


Step 3. Get the source for your version, unpack and compile ( replace 1.4.6 with your version you got from above )
On my arm gentoo boxen I have this package masked which is needed for the next steps...
 
<source lang="bash">
<source lang="bash">
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild unpack
echo "dev-perl/Text-CSV_XS **" >> /etc/portage/package.keywords
emerge Text-CSV_XS
</source>
</source>


Step 4. Go to your unpacked patch-o-matic dir and do
Step 3. Get the ip->country database and set it up right.


<source lang="bash">
<source lang="bash">
./runme --download
mkdir ~/geoip
IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.6 KERNEL_DIR=/usr/src/linux ./runme geoip
cd ~/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
wget http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
tar -xjf geoip_src.tar.bz2 geoip_csv_iv0.pl runme.sh
cp -r var/geoip/* /var/geoip/
</source>
</source>


Step 5. Go to /usr/src/linux and enable geoip as module and recompile ( I do make uImage because I'm using gentoo on an ARM arch here .. you don't need that stuff .. )
runme.sh's contents:


<source lang="bash">
<source lang="bash">
cd /usr/src/linux
#!/bin/bash -ex
make menuconfig
 
rm -Rf var
mkdir -p var/geoip/{BE,LE};
pushd var/geoip/BE;
../../../geoip_csv_iv0.pl -b ../../../GeoIPCountryWhois.csv;
popd;
pushd var/geoip/LE;
../../../geoip_csv_iv0.pl ../../../GeoIPCountryWhois.csv;
popd;
find var -print0 | sort -z | tar -T- --null --no-r --owner=root \
        --group=root -cvjf geoip_iv0_database.tar.bz2;
tar --no-r --owner=root --group=root -cvjf geoip_src.tar.bz2 \
        GeoIPCountryWhois.csv geoip_csv_iv0.pl runme.sh
</source>


# Symbol: NETFILTER_XT_MATCH_GEOIP[=m]
geoip_csv_iv0.pl's contents:
# Prompt: "geoip" match support
<source lang="perl">
# -> [*] Networking support (NET [=y])
#!/usr/bin/perl
#  -> Networking options 
#    -> [*] Network packet filtering framework (Netfilter) (NETFILTER [=y])
#      -> Core Netfilter Configuration
#      -> -*- Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
#       -> <M> "geoip" match support Symbol: NETFILTER_XT_MATCH_GEOIP [=m]
#
#
# CONFIG_NETFILTER_XT_MATCH_GEOIP:
#       Converter for MaxMind CSV database to binary, for xt_geoip
# This option allows you to match a packet by its source or
#       Copyright © CC Computer Consultants, 2008
# destination country.  Basically, you need a country's
#
# database containing all subnets and associated countries.
#       Contact: Jan Engelhardt <jengelh@computergmbh.de>
# For the complete procedure and understanding, read :
#
# http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html 
#       Use -b argument to create big-endian tables.
 
#
make uImage && make modules && make modules_install
use Getopt::Long;
</source>
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;


Step 6. Fixing the patch because for some reason the patch doesn't put a header file where it's supposed to .. so .. cd to the patch-o-matic directory and do this:
my %country;
my %names;
my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
my $mode = "VV";


<source lang="bash">
&Getopt::Long::Configure(qw(bundling));
cp ./patchlets/geoip/linux-2.6/include/linux/netfilter/xt_geoip.h /var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.4.6/include/linux/netfilter/
&GetOptions("b" => sub { $mode = "NN"; });
</source>


Add this at the beginning of /var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.4.6/include/linux/netfilter/xt_geoip.h
while (my $row = $csv->getline(*ARGV)) {
        if (!defined($country{$row->[4]})) {
                $country{$row->[4]} = [];
                $names{$row->[4]} = $row->[5];
        }
        my $c = $country{$row->[4]};
        push(@$c, [$row->[2], $row->[3]]);
        if ($. % 4096 == 0) {
                print STDERR "\r\e[2K$. entries";
        }
}


#define IPTABLES_VERSION "1.4.6"
print STDERR "\r\e[2K$. entries total\n";


Step 7 . Install the newly patched iptables
foreach my $iso_code (sort keys %country) {
        printf "%5u ranges for %s %s\n",
                scalar(@{$country{$iso_code}}),
                $iso_code, $names{$iso_code};


<source lang="bash">
        open(my $fh, ">".uc($iso_code).".iv0");
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild compile
        foreach my $range (@{$country{$iso_code}}) {
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild install
                print $fh pack($mode, $range->[0], $range->[1]);
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild qmerge
        }
        close $fh;
}
</source>
</source>
Examples and many thanks to: [http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO-3.html peejix's HowTo.]


And you're done
And you're done

Latest revision as of 00:37, 17 January 2010

WHY

Because there are kinda' tons of infected japan and pakistan computers which try to send spam to me ( or use me as a relay ). My postfix is set up to block relay but that still has to check against dnsbl lists for each ip.

HOW

Use geoip with iptables !

I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.

Step 1. Get the latest xtables-addons from http://xtables-addons.sourceforge.net/ and unpack

Step 2. Go to your unpacked xtables-addons dir and do

./configure --with-xtlibdir=/lib/xtables # this is where my gentoo puts his modules
make
make install

On my arm gentoo boxen I have this package masked which is needed for the next steps...

echo "dev-perl/Text-CSV_XS **" >> /etc/portage/package.keywords
emerge Text-CSV_XS

Step 3. Get the ip->country database and set it up right.

mkdir ~/geoip
cd ~/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
wget http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
tar -xjf geoip_src.tar.bz2 geoip_csv_iv0.pl runme.sh
cp -r var/geoip/* /var/geoip/

runme.sh's contents:

#!/bin/bash -ex

rm -Rf var
mkdir -p var/geoip/{BE,LE};
pushd var/geoip/BE;
../../../geoip_csv_iv0.pl -b ../../../GeoIPCountryWhois.csv;
popd;
pushd var/geoip/LE;
../../../geoip_csv_iv0.pl ../../../GeoIPCountryWhois.csv;
popd;
find var -print0 | sort -z | tar -T- --null --no-r --owner=root \
        --group=root -cvjf geoip_iv0_database.tar.bz2;
tar --no-r --owner=root --group=root -cvjf geoip_src.tar.bz2 \
        GeoIPCountryWhois.csv geoip_csv_iv0.pl runme.sh

geoip_csv_iv0.pl's contents:

#!/usr/bin/perl
#
#       Converter for MaxMind CSV database to binary, for xt_geoip
#       Copyright © CC Computer Consultants, 2008
#
#       Contact: Jan Engelhardt <jengelh@computergmbh.de>
#
#       Use -b argument to create big-endian tables.
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;

my %country;
my %names;
my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
my $mode = "VV";

&Getopt::Long::Configure(qw(bundling));
&GetOptions("b" => sub { $mode = "NN"; });

while (my $row = $csv->getline(*ARGV)) {
        if (!defined($country{$row->[4]})) {
                $country{$row->[4]} = [];
                $names{$row->[4]} = $row->[5];
        }
        my $c = $country{$row->[4]};
        push(@$c, [$row->[2], $row->[3]]);
        if ($. % 4096 == 0) {
                print STDERR "\r\e[2K$. entries";
        }
}

print STDERR "\r\e[2K$. entries total\n";

foreach my $iso_code (sort keys %country) {
        printf "%5u ranges for %s %s\n",
                scalar(@{$country{$iso_code}}),
                $iso_code, $names{$iso_code};

        open(my $fh, ">".uc($iso_code).".iv0");
        foreach my $range (@{$country{$iso_code}}) {
                print $fh pack($mode, $range->[0], $range->[1]);
        }
        close $fh;
}

And you're done