Gentoo IPTables Xtables-addons Block countries: Difference between revisions

Revision as of 23:55, 16 January 2010

WHY

Because there are kinda' tons of infected japan and pakistan computers which try to send spam to me ( or use me as a relay ). My postfix is set up to block relay but that still has to check against dnsbl lists for each ip.

HOW

Use geoip with iptables !

I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.

Step 1. Get the latest patch-o-matic from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack

Step 2. Find out what iptables version you have

emerge iptables -vp

Step 3. Get the source for your version, unpack and compile ( replace 1.4.6 with your version you got from above )

ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild unpack

Step 4. Go to your unpacked patch-o-matic dir and do

./runme --download
IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.6 KERNEL_DIR=/usr/src/linux ./runme geoip

Step 5. Go to /usr/src/linux and enable geoip as module and recompile ( I do make uImage because I'm using gentoo on an ARM arch here .. you don't need that stuff .. )

cd /usr/src/linux
make menuconfig

# Symbol: NETFILTER_XT_MATCH_GEOIP[=m]
# Prompt: "geoip" match support
# -> [*] Networking support (NET [=y])
#  -> Networking options  
#    -> [*] Network packet filtering framework (Netfilter) (NETFILTER [=y])
#      -> Core Netfilter Configuration
#       -> -*- Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
#        -> <M> "geoip" match support Symbol: NETFILTER_XT_MATCH_GEOIP [=m]
#
# CONFIG_NETFILTER_XT_MATCH_GEOIP:
# This option allows you to match a packet by its source or
# destination country.  Basically, you need a country's
# database containing all subnets and associated countries.
# For the complete procedure and understanding, read :
# http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html   

make uImage && make modules && make modules_install

Step 6. Fixing the patch because for some reason the patch doesn't put a header file where it's supposed to .. so .. cd to the patch-o-matic directory and do this:

cp ./patchlets/geoip/linux-2.6/include/linux/netfilter/xt_geoip.h /var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.4.6/include/linux/netfilter/

Step 7 . Install the newly patched iptables

ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild compile
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild install
ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild qmerge

Examples and many thanks to: peejix's HowTo.

And you're done

Gentoo IPTables Xtables-addons Block countries: Difference between revisions

Revision as of 23:55, 16 January 2010

WHY

HOW

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

@@ Line 9: / Line 9: @@
 I'm using gentoo so patch-o-matic doesn't seem to be integrated yet.
-Step 1. Get the latest patch-o-matic from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack
+Step 1. Get the latest patch-o-matic from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and pack
 Step 2. Find out what iptables version you have
@@ Line 17: / Line 17: @@
 </source>
-Step 3. Get the source for your version, unpack and compile ( replace 1.4.3.2 with your version you got from above )
+Step 3. Get the source for your version, unpack and compile ( replace 1.4.6 with your version you got from above )
 <source lang="bash">
-ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild unpack
+ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild unpack
-ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild compile
 </source>
@@ Line 28: / Line 27: @@
 <source lang="bash">
 ./runme --download
-IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.3.2/work/iptables-1.4.3.2 KERNEL_DIR=/usr/src/linux ./runme geoip
+IPTABLES_DIR=/var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.6 KERNEL_DIR=/usr/src/linux ./runme geoip
 </source>
@@ Line 39: / Line 38: @@
 # Symbol: NETFILTER_XT_MATCH_GEOIP[=m]
 # Prompt: "geoip" match support
-# -> Networking support (NET [=y])
+# -> [*] Networking support (NET [=y])
 #  -> Networking options
-#    -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
+#    -> [*] Network packet filtering framework (Netfilter) (NETFILTER [=y])
 #      -> Core Netfilter Configuration
-#       -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
+#       -> -*- Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
+#        -> <M> "geoip" match support Symbol: NETFILTER_XT_MATCH_GEOIP [=m]
+#
+# CONFIG_NETFILTER_XT_MATCH_GEOIP:
+# This option allows you to match a packet by its source or
+# destination country.  Basically, you need a country's
+# database containing all subnets and associated countries.
+# For the complete procedure and understanding, read :
+# http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
 make uImage && make modules && make modules_install
 </source>
-Step 6 . Install the newly patched iptables
+Step 6. Fixing the patch because for some reason the patch doesn't put a header file where it's supposed to .. so .. cd to the patch-o-matic directory and do this:
 <source lang="bash">
-ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild install
+cp ./patchlets/geoip/linux-2.6/include/linux/netfilter/xt_geoip.h /var/tmp/portage/net-firewall/iptables-1.4.6/work/iptables-1.4.6/include/linux/netfilter/
-ebuild /usr/portage/net-firewall/iptables/iptables-1.4.3.2.ebuild qmerge
 </source>
-Examples at http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO-3.html
+Step 7 . Install the newly patched iptables
+<source lang="bash">
+ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild compile
+ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild install
+ebuild /usr/portage/net-firewall/iptables/iptables-1.4.6.ebuild qmerge
+</source>
+Examples and many thanks to: [http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO-3.html peejix's HowTo.]
 And you're done