The geoip match HOWTO

• geoip howto
• news

Authors

Nicolas Bouliane acidfu@people.netfilter.org
Samuel Jean peejix@people.netfilter.org

1. Introduction

Netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. To learn more about iptables/netfilter you should visit www.netfilter.org.

1.1 what is iptables/netfilter's geoip match?

This framework is modular and easily let you extend the features. This is exactly what geoip is : an extension to iptables/netfilter that allows you to filter, nat or mangle packets based on the country's destination or provenance.

2. Installation

There's some minor steps to go through before using this match.

2.1 the geoip's database

In order to efficiently filter on a country basis, we obviously need a subnet-to-country database. Fortunately, there's a free one available at http://www.maxmind.com.

However, this database is big and unsorted. Loading this database into memory would eat up too much ressources than what we really need. Also, seeking through unsorted database takes ages. This is why you need a tool called 'gcsv2bin' to strip, sort and compile your database.

gcsv2bin is available at http://people.netfilter.org/acidfu/geoip/tools/

An alternative to creating your own up-to-date database is downloading a prebuilt but possibly outdated database from http://people.netfilter.org/acidfu/geoip/database/.

You'll now have to copy `geoipdb.bin' and its index file `geoipdb.idx' into /var/geoip/. The reason on why we do this is that iptables's geoip shared library is statically reading both files from that path. If you ever need to change that path, take a look at extensions/libxt_geoip.c and suit it for your needs.

2.2 applying patch-o-matic

Just like other "official" patches, geoip is part of patch-o-matic-ng. As a new match, we've put it into Testing state and Extra repository, so start 'runme' accordingly.

#> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
#> cd patch-o-matic-ng
#> ./runme --download
#> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip

Do not forget to :

o recompile iptables;

o enable geoip into your kernel config;

o recompile your kernel or compile geoip as a module;

o boot the new kernel or modprobe xt_geoip.

NOTE: If you had to change the database path into libxt_geoip.c, you MUST do it before compiling.

3. Examples

If you want to block all Anonymous Proxies and Satellite Providers, you can enter something like that: (I assume that your linux box acts as a router, else you can provide `-A INPUT' instead.)

#> iptables -A FORWARD -m geoip --src-cc A1,A2 -j DROP

If you only plan to accept connections from your country.

#> iptables -P INPUT DROP
#> iptables -A INPUT -m geoip ! --src-cc CA -j DROP

Some people likes to know which countries are hitting obscure or well-known security risk ports.

Create a dedicated accounting custom chain

#> iptables -N SSH_GEOIP

Feed that chain with your targeted countries (below are for exemple means only)

#> iptables -A SSH_GEOIP -m geoip --src-cc CA
#> iptables -A SSH_GEOIP -m geoip --src-cc DE
#> iptables -A SSH_GEOIP -m geoip --src-cc US
#> iptables -A SSH_GEOIP -m geoip --src-cc JP
#> iptables -A SSH_GEOIP -m geoip --src-cc FR

The sixth rule will match all other countries

#> iptables -A SSH_GEOIP -m geoip ! --src-cc CA,DE,US,JP,FR

Then call the chain for a specific situation

#> iptables -A INPUT -p tcp --dport 22 -j SSH_GEOIP

4. Motivation

This patch has been provided for fun and as a challenge only. Please do not consider this patch as an anti-spam approach. There is much better uses of this patch than such a racist-routing.

5. Thanks

Thanks to

Charles Michaud, for giving us the project's idea.
Arthur Ouellet, for giving us ideas and bugs report.
Martin Josefsson, for answering our technicals questions.

Tarek W. Said for jiggling his butt when we succeed.
Sean Donner for testing and writing the geoip_update.sh

and all the netfilter core team, you're working like a big mama.