User Tools

Site Tools


geoip_iptables_blocking

This is an old revision of the document!


GeoIP for use with iptables (Debian 8 Jessie)

install necessary software

apt-get install libtext-csv-xs-perl xtables-addons-common

create a weekly cronjob

cat /etc/cron.weekly/maxmind 

#!/bin/sh
GEOIP_MIRROR="http://geolite.maxmind.com/download/geoip/database"
TMPDIR=$(mktemp -d /tmp/geoipupdate.XXXXXXXXXX)
wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPv6.csv.gz" -O "${TMPDIR}/GeoIPv6.csv.gz"
wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPCountryCSV.zip" -O "${TMPDIR}/GeoIPCountryCSV.zip"
gunzip -fdc ${TMPDIR}/GeoIPv6.csv.gz >> ${TMPDIR}/GeoIPv6.csv
unzip -o -d ${TMPDIR} ${TMPDIR}/GeoIPCountryCSV.zip 
mkdir -p /usr/share/xt_geoip
#perl /usr/share/doc/xtables-addons-2.3/geoip/xt_geoip_build -D /usr/share/xt_geoip ${TMPDIR}/GeoIP*.csv
perl /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${TMPDIR}/GeoIP*.csv
[ -d "${TMPDIR}" ] && rm -rf $TMPDIR

make it executable

chmod +x /etc/cron.weekly/maxmind

insert geoip rules into iptables ruleset

iptables -A INPUT -m state --state NEW -m geoip --src-cc CH -m tcp -p tcp --dport 22 -j ACCEPT

Log anything else

-A INPUT -p tcp -m state --state NEW -m geoip ! --source-country CH  -m tcp --dport 22 -j LOG --log-prefix "iptables geoip denied: " --log-level 7
geoip_iptables_blocking.1457447300.txt.gz · Last modified: 2016/03/08 14:28 by admin