Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

Want to support HowtoForge? Become a subscriber!
 
Submitted by TiTex (Contact Author) (Forums) on Thu, 2011-08-18 12:01. :: CentOS | Security

Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

This tutorial will explain how to install aditional modules for the kernel to use with iptables rules sets (netfilter modules). Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel.

A list of all available modules can be found here and their usage here.

 

1 Preliminary Note

Before we start, make sure that SELinux is disabled. Run

system-config-securitylevel

or edit /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

to disable SELinux, and ...

echo 0 > /selinux/enforce

... for the change to take effect.

 

2 Supported Configurations

* iptables >= 1.4.3

* kernel-source >= 2.6.29

For ipset-6 you need:

* libmnl

* Linux kernel >= 2.6.35

 

3 Installing Packages

Note: you'll need the same version of kernel-devel package as your current kernel!

uname -r

2.6.32-71.el6.i686

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel

In this case kernel-devel-2.6.32-71.el6.i686

Install rpmforge repo for perl-Text-CSV_XS package:

rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

yum install perl-Text-CSV_XS

 

4 Compile xtables-addons

Get xtables-addons source and unarchive it:

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.37/xtables-addons-1.37.tar.xz

tar xvf xtables-addons-1.37.tar.xz

Compile modules:

cd xtables-addons-1.37/

Note: You can edit the "mconfig" file to select what modules to build and install. By default, all modules are enabled.

./configure

make && make install

 

5 Setting Up geoip Module

Create geoip database for iptables geoip match:

cd geoip/

Using the scripts form geoip folder download and compile MaxMind GeoIPCountry database:

./xt_geoip_dl

./xt_geoip_build GeoIPCountryWhois.csv

Move the files to their default location:

mkdir -p /usr/share/xt_geoip/

cp -r {BE,LE} /usr/share/xt_geoip/

Test it like this:

iptables -I INPUT -m geoip --src-cc CN -j DROP

This will drop all incoming connections from China.

 

6 Links

Xtables-addons: http://xtables-addons.sourceforge.net/

Xtables-addons modules: http://xtables-addons.sourceforge.net/modules.php

Xtables-addons man page: http://dev.medozas.de/files/xtables/xtables-addons.8.html

MaxMind GeoIP: http://geolite.maxmind.com/download/geoip/database

CentOS: http://www.centos.org/


Copyright © 2011 alex duzsardi
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
This will not work
Submitted by Will not working (not registered) on Wed, 2013-02-20 14:22.

I become many errors on this and found nothing to make it right.

 


# make
make  all-recursive
make[1]: Entering directory `/root/xtables-addons-2.1'
Making all in extensions
make[2]: Entering directory `/root/xtables-addons-2.1/extensions'
Xtables-addons 2.1 - Linux 2.6.32-279.14.1.el6.x86_64
if [ -n "/lib/modules/2.6.32-279.14.1.el6.x86_64/build" ]; then make -C /lib/modules/2.6.32-279.14.1.el6.x86_64/build M=/root/xtables-addons-2.1/extensions modules; fi;
make[3]: Entering directory `/usr/src/kernels/2.6.32-279.14.1.el6.x86_64'
  CC [M]  /root/xtables-addons-2.1/extensions/compat_xtables.o
/root/xtables-addons-2.1/extensions/compat_xtables.c:24:26: error: linux/export.h: No such file or directory
In file included from /root/xtables-addons-2.1/extensions/compat_xtables.c:26:
/root/xtables-addons-2.1/extensions/compat_xtnu.h:21: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtnu.h:21: warning: its scope is only this definition or declaration, which is probably not what you want
/root/xtables-addons-2.1/extensions/compat_xtnu.h:36: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtables.c:32: warning: ‘struct xt_action_param’ declared inside parameter list
/root/xtables-addons-2.1/extensions/compat_xtables.c: In function ‘xtnu_target_run’:
/root/xtables-addons-2.1/extensions/compat_xtables.c:34: error: dereferencing pointer to incomplete type
/root/xtables-addons-2.1/extensions/compat_xtables.c:36: warning: passing argument 2 of ‘nt->target’ from incompatible pointer type
/root/xtables-addons-2.1/extensions/compat_xtables.c:36: note: expected ‘const struct xt_action_param *’ but argument is of type ‘const struct xt_action_param *’
/root/xtables-addons-2.1/extensions/compat_xtables.c: In function ‘xtnu_register_target’:
/root/xtables-addons-2.1/extensions/compat_xtables.c:60: warning: assignment from incompatible pointer type
/root/xtables-addons-2.1/extensions/compat_xtables.c:61: warning: assignment from incompatible pointer type
make[4]: *** [/root/xtables-addons-2.1/extensions/compat_xtables.o] Error 1
make[3]: *** [_module_/root/xtables-addons-2.1/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/2.6.32-279.14.1.el6.x86_64'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/root/xtables-addons-2.1/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/xtables-addons-2.1'
make: *** [all] Error 2
 

reply | view as pdf view as pdf
Re: This will not work
Submitted by Anonymous (not registered) on Tue, 2013-02-26 00:35.
Use 1.47 for that kernel version. 
reply | view as pdf view as pdf
Re: Re: This will not work
Submitted by Anonymous (not registered) on Mon, 2013-03-11 14:19.

Thank you ;)

Now it works fine ;)

reply | view as pdf view as pdf
Using Iptables To Block Ips That Spam Or Attack Your Server
Submitted by gadelkareem (not registered) on Wed, 2012-03-14 17:38.

You can also use a list of IPs in a file to block them through Iptables

Using iptables to block ips that spam or attack your server

reply | view as pdf view as pdf
If somehow the "make" fails
Submitted by Ankush Grover (not registered) on Mon, 2011-10-31 11:08.
If somehow the "make" fails on Centos 6 with the latest version of xtables-addons(1.3.9) then please disable "build_ipset6=m " in mconfig file. Regards Ankush
reply | view as pdf view as pdf
Agree on SELinux, but otherwise good article
Submitted by Anonymous (not registered) on Tue, 2011-08-23 15:33.

Thanks for writing this article.  The information you have provided here will definitely help protect my email server from the Chinese/Korean/Russian spammers.  Defense in depth is always a good thing.

I do have to agree with the previous poster's comment re: SELinux.  It performs an important function and in my opinion should not be disabled.  Usually people disable it because they don't understand it, and until I took some time to learn it, I was one of those folks, too.  Now that I've learned the basics of it, I always leave it on and make an exception--if I need to--for the specific service that's affected by it.  Or, even better, I'll just change the security context of the applicable file/object.  SETroubleshoot is very helpful in these cases to track down what needs to be tweaked.

One other thing.  For those who prefer not to install the RPMForge repository, you can get the same module directly from CPAN.  It's the "Text::CSV_XS" module.  This should work on any GNU/Linux distro.

reply | view as pdf view as pdf
GeoIP database update
Submitted by TiTex (registered user) on Tue, 2011-08-23 09:16.
by the way , maxmind geoip database is updated at the begining of every month so you should rebuild the database on you box also once in a while
reply | view as pdf view as pdf
Do NOT turn off SELinux
Submitted by Pieter (not registered) on Mon, 2011-08-22 19:22.
I do not understand why HowToForge keeps giving users BAD advice to turn off SELinux. You really should stop doing that. SELinux is a tremendously good help to keep your server secure. And if some apps do not work with SELinux then those apps should ship with a proper SELinux policy. Turning off SELinux is NOT the solution and BAD advice.
reply | view as pdf view as pdf
Re: Do NOT turn off SELinux
Submitted by TiTex (registered user) on Tue, 2011-08-23 09:13.

i agree , but most people don't know how to work with selinux permissions so that was the easy way to get arround it.

and here is the not so hard way to load the modules with selinux enabled and enforced, you have to change the security context permisions of the modules

chcon -vR --user=system_u /lib/modules/*/extra/*.ko

and

chcon -vR --type=lib_t /lib/xtables/*.so

reply | view as pdf view as pdf
Re: Re: Do NOT turn off SELinux
Submitted by Anonymous (not registered) on Mon, 2011-09-26 12:41.

thanks !!!

 http://www.mytricks.in/2011/09/guide-installing-centos-6-on-vmware.html

 

reply | view as pdf view as pdf