Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 12th November 2010, 20:16
drewb0y drewb0y is offline
Senior Member
 
Join Date: Sep 2010
Posts: 103
Thanks: 10
Thanked 14 Times in 7 Posts
Lightbulb HOWTO: Implement iptables blocking by Country

This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server)

Credit goes to linus3x for pointing out the link that got me started
http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny

I basically followed all the directions there with a few additions for my environment.

First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format.

Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://backports.debian.org/debian-backports lenny-backports main
Update the package lists
Code:
apt-get update
Install xz-utils
Code:
aptitude install xz-utils
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

Next I wanted to update to a later version of iptables and add some other associated tools.

Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://ftp.de.debian.org/debian squeeze main
Update the package lists
Code:
apt-get update
Install iptables and addons
Code:
apt-get -t testing install iptables
apt-get -t testing install iptables-dev
apt-get -t testing install xtables-addons-common
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.

From the original instructions, install some other needed packages
Code:
aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
Next, create the necessary directories and download the needed GeoIPCountry files.
Code:
mkdir -p /var/geoip/LE /usr/src/GeoIP
wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz
Next, extract all the files for install.
Code:
 
cd /usr/src/GeoIP
tar xf csv2bin-20041103.tar.gz
tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
unzip GeoIPCountryCSV.zip
xz -d xtables-addons-1.31.tar.xz
tar xf xtables-addons-1.31.tar
Next, configure and make xtables-addons.
Code:
cd xtables-addons-1.31
./configure --with-xtlibdir=/lib/xtables
make
make install
Next, make csv2bin
Code:
 
cd /usr/src/GeoIP/csv2bin
make
Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file)
Code:
cd /var/geoip
/usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv
Next,, run the GeoIP perl script on that file.
Code:
 
cd /var/geoip/LE
perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv
Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip
Code:
cd /usr/share
ln -s /var/geoip/ xt_geoip
Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow.
In the example below, I am excluding Ukraine, one of my big offenders.

Code:
iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT
To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in
http://www.howtoforge.com/forums/showthread.php?t=28781
(Thanks to edge for pointing that one out to me)

If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people.
If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; >

In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete.

Code:
iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT
iptables -A INPUT -j GEOIP_REJECT
You can verify your blocks afterwards by using
Code:
IPTABLES -L
For a list of commands, you can type
Code:
iptables -m geoip --help
I used http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there.
I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible.
If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace.
I will see what the actual number reduction is after a couple of days.
Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at:
http://www.maxmind.com/app/geolitecountry

Here are the country codes.
Code:
   74 ranges for A1 Anonymous Proxy
 2054 ranges for A2 Satellite Provider
   14 ranges for AD Andorra
  297 ranges for AE United Arab Emirates
  156 ranges for AF Afghanistan
  117 ranges for AG Antigua and Barbuda
   16 ranges for AI Anguilla
   53 ranges for AL Albania
   71 ranges for AM Armenia
   72 ranges for AN Netherlands Antilles
  108 ranges for AO Angola
  289 ranges for AP Asia/Pacific Region
   24 ranges for AQ Antarctica
  678 ranges for AR Argentina
   33 ranges for AS American Samoa
 1649 ranges for AT Austria
 2620 ranges for AU Australia
   30 ranges for AW Aruba
  124 ranges for AX Aland Islands
   46 ranges for AZ Azerbaijan
  106 ranges for BA Bosnia and Herzegovina
   65 ranges for BB Barbados
  307 ranges for BD Bangladesh
 2740 ranges for BE Belgium
   22 ranges for BF Burkina Faso
  486 ranges for BG Bulgaria
   73 ranges for BH Bahrain
   14 ranges for BI Burundi
   32 ranges for BJ Benin
   72 ranges for BM Bermuda
   15 ranges for BN Brunei Darussalam
   73 ranges for BO Bolivia
  480 ranges for BR Brazil
   42 ranges for BS Bahamas
    6 ranges for BT Bhutan
   15 ranges for BV Bouvet Island
   26 ranges for BW Botswana
   76 ranges for BY Belarus
   89 ranges for BZ Belize
 7267 ranges for CA Canada
  104 ranges for CD Congo, The Democratic Republic of the
   10 ranges for CF Central African Republic
   24 ranges for CG Congo
 2473 ranges for CH Switzerland
   46 ranges for CI Cote D'Ivoire
    4 ranges for CK Cook Islands
  396 ranges for CL Chile
   61 ranges for CM Cameroon
  998 ranges for CN China
  480 ranges for CO Colombia
  138 ranges for CR Costa Rica
   16 ranges for CU Cuba
    6 ranges for CV Cape Verde
  381 ranges for CY Cyprus
  864 ranges for CZ Czech Republic
12102 ranges for DE Germany
    8 ranges for DJ Djibouti
 1120 ranges for DK Denmark
   19 ranges for DM Dominica
   81 ranges for DO Dominican Republic
   61 ranges for DZ Algeria
  198 ranges for EC Ecuador
  191 ranges for EE Estonia
  233 ranges for EG Egypt
   10 ranges for ER Eritrea
 2641 ranges for ES Spain
   12 ranges for ET Ethiopia
 3236 ranges for EU Europe
  935 ranges for FI Finland
   19 ranges for FJ Fiji
    4 ranges for FK Falkland Islands (Malvinas)
    6 ranges for FM Micronesia, Federated States of
    9 ranges for FO Faroe Islands
 6214 ranges for FR France
   41 ranges for GA Gabon
13028 ranges for GB United Kingdom
   28 ranges for GD Grenada
  100 ranges for GE Georgia
    2 ranges for GF French Guiana
   86 ranges for GG Guernsey
  144 ranges for GH Ghana
   53 ranges for GI Gibraltar
    3 ranges for GL Greenland
    8 ranges for GM Gambia
   37 ranges for GN Guinea
   18 ranges for GP Guadeloupe
   12 ranges for GQ Equatorial Guinea
  673 ranges for GR Greece
   91 ranges for GT Guatemala
   39 ranges for GU Guam
    5 ranges for GW Guinea-Bissau
   11 ranges for GY Guyana
 1084 ranges for HK Hong Kong
   94 ranges for HN Honduras
  148 ranges for HR Croatia
   29 ranges for HT Haiti
  531 ranges for HU Hungary
  706 ranges for ID Indonesia
 1039 ranges for IE Ireland
  700 ranges for IL Israel
   94 ranges for IM Isle of Man
 1472 ranges for IN India
    7 ranges for IO British Indian Ocean Territory
  526 ranges for IQ Iraq
  377 ranges for IR Iran, Islamic Republic of
   85 ranges for IS Iceland
 2957 ranges for IT Italy
   80 ranges for JE Jersey
   73 ranges for JM Jamaica
   91 ranges for JO Jordan
 1730 ranges for JP Japan
  151 ranges for KE Kenya
   38 ranges for KG Kyrgyzstan
   67 ranges for KH Cambodia
    2 ranges for KI Kiribati
    5 ranges for KM Comoros
   56 ranges for KN Saint Kitts and Nevis
    5 ranges for KP Korea, Democratic People's Republic of
  622 ranges for KR Korea, Republic of
  160 ranges for KW Kuwait
   30 ranges for KY Cayman Islands
  173 ranges for KZ Kazakhstan
   14 ranges for LA Lao People's Democratic Republic
  220 ranges for LB Lebanon
   22 ranges for LC Saint Lucia
   68 ranges for LI Liechtenstein
   63 ranges for LK Sri Lanka
   56 ranges for LR Liberia
   10 ranges for LS Lesotho
  369 ranges for LT Lithuania
  368 ranges for LU Luxembourg
  284 ranges for LV Latvia
   97 ranges for LY Libyan Arab Jamahiriya
   92 ranges for MA Morocco
   40 ranges for MC Monaco
  121 ranges for MD Moldova, Republic of
   46 ranges for ME Montenegro
    4 ranges for MF Saint Martin
   20 ranges for MG Madagascar
    6 ranges for MH Marshall Islands
   69 ranges for MK Macedonia
   14 ranges for ML Mali
    3 ranges for MM Myanmar
   51 ranges for MN Mongolia
   30 ranges for MO Macau
    5 ranges for MP Northern Mariana Islands
   16 ranges for MQ Martinique
   19 ranges for MR Mauritania
   11 ranges for MS Montserrat
  107 ranges for MT Malta
   46 ranges for MU Mauritius
   17 ranges for MV Maldives
   41 ranges for MW Malawi
  571 ranges for MX Mexico
  478 ranges for MY Malaysia
   45 ranges for MZ Mozambique
  232 ranges for NA Namibia
   27 ranges for NC New Caledonia
   32 ranges for NE Niger
    3 ranges for NF Norfolk Island
  926 ranges for NG Nigeria
   74 ranges for NI Nicaragua
 6252 ranges for NL Netherlands
 1063 ranges for NO Norway
   54 ranges for NP Nepal
    3 ranges for NR Nauru
    1 ranges for NU Niue
  620 ranges for NZ New Zealand
   18 ranges for OM Oman
  173 ranges for PA Panama
  129 ranges for PE Peru
    9 ranges for PF French Polynesia
   21 ranges for PG Papua New Guinea
  441 ranges for PH Philippines
  267 ranges for PK Pakistan
 2532 ranges for PL Poland
    4 ranges for PM Saint Pierre and Miquelon
  842 ranges for PR Puerto Rico
   42 ranges for PS Palestinian Territory, Occupied
  586 ranges for PT Portugal
    4 ranges for PW Palau
   43 ranges for PY Paraguay
   34 ranges for QA Qatar
    7 ranges for RE Reunion
  977 ranges for RO Romania
  259 ranges for RS Serbia
 4061 ranges for RU Russian Federation
   14 ranges for RW Rwanda
  381 ranges for SA Saudi Arabia
    3 ranges for SB Solomon Islands
   36 ranges for SC Seychelles
   46 ranges for SD Sudan
 2106 ranges for SE Sweden
  868 ranges for SG Singapore
  366 ranges for SI Slovenia
  391 ranges for SK Slovakia
   42 ranges for SL Sierra Leone
   14 ranges for SM San Marino
   22 ranges for SN Senegal
   30 ranges for SO Somalia
   19 ranges for SR Suriname
    4 ranges for ST Sao Tome and Principe
   89 ranges for SV El Salvador
   48 ranges for SY Syrian Arab Republic
   22 ranges for SZ Swaziland
   13 ranges for TC Turks and Caicos Islands
   20 ranges for TD Chad
   10 ranges for TG Togo
  362 ranges for TH Thailand
   27 ranges for TJ Tajikistan
   10 ranges for TK Tokelau
    3 ranges for TL Timor-Leste
    6 ranges for TM Turkmenistan
   18 ranges for TN Tunisia
    4 ranges for TO Tonga
  654 ranges for TR Turkey
   34 ranges for TT Trinidad and Tobago
    1 ranges for TV Tuvalu
  465 ranges for TW Taiwan
  131 ranges for TZ Tanzania, United Republic of
 2282 ranges for UA Ukraine
   53 ranges for UG Uganda
   11 ranges for UM United States Minor Outlying Islands
19724 ranges for US United States
   85 ranges for UY Uruguay
   48 ranges for UZ Uzbekistan
    6 ranges for VA Holy See (Vatican City State)
   21 ranges for VC Saint Vincent and the Grenadines
  236 ranges for VE Venezuela
   90 ranges for VG Virgin Islands, British
  134 ranges for VI Virgin Islands, U.S.
  151 ranges for VN Vietnam
    6 ranges for VU Vanuatu
    2 ranges for WF Wallis and Futuna
   24 ranges for WS Samoa
   19 ranges for YE Yemen
    3 ranges for YT Mayotte
  579 ranges for ZA South Africa
   85 ranges for ZM Zambia
   70 ranges for ZW Zimbabwe
__________________
ISPConfig 3.0.5.4p1 - The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)
Installed on Debian 7.6 on a KVM VPS

Last edited by drewb0y; 13th November 2010 at 13:57. Reason: Additional information
Reply With Quote
The Following 4 Users Say Thank You to drewb0y For This Useful Post:
ByteMe Networking (7th December 2010), falko (13th November 2010), linus3x (13th November 2010), zbuzanic (7th March 2012)
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking Based on Country with GeoIP, xtables-addons, and iptables linus3x Installation/Configuration 2 5th October 2013 00:56
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 13:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 22:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 19:30
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42


All times are GMT +2. The time now is 05:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.