Recent Posts


« | Main | »

Linux GeoIP Firewall via iptables (using ipset)

By Dale Reagan | September 24, 2011

In a previous post using GeoIP data with xtables-addons was discussed.

CAVEAT – GeoIP data changes constantly – if you implement such a solution then make sure that you also add some sort of auto-data-update process.  Also, GeoIP filtering does not provide any guarantee that a system from ‘filtered IP space’ cannot access your resource via some allowed IP space…

There is another solution for GeoIP firewall filtering with Linux – using iptables and ‘ipset‘- a tool for creating custom IP-related sets (where using GeoIP data sets is one possible application.)

Quick man-page tool summaries:

Contrasting  using ipset for GeoIP filtering with xtables-addons geoip filter

xtables-addons simple overview:

  1. download RAW GeoIP data (i.e. free data from MaxMind.Com)
  2. create new GeoIP chains and/or directly add rules
  3. with chains, add rules to desired filters
  4. maintain/update the raw GeoIP data used to create the packed lookup tables required for xtables-addons
  5. install/update xaddons-tables chains/rules as needed

From a user perspective using ipset may be more involved and requires:

  1. download IP data-sets designed for GeoIP CIDR type use (third party generation, most likely from the same or similar data set used for xtables-addons – see links below.)  You could also generate your own IP ranges from the raw data.
  2. using ipset create custom IP-data-table GeoIP ‘sets’ using IP ranges or IP addresses
  3. install iptables rules/filters to use the ipset tables
  4. maintain/update the raw IP data used to create your custom GeoIP tables
  5. install/update ipset tables as needed

Steps 1-5 are pretty much the same – now what?

If you are using chains (essentially, a custom list that you want to match network traffic against) then the steps are similar. (Note that these are relatively simple examples – a complete solution would involve managing the filters/rules/tables to avoid duplication, i.e. remove/update related rule components.  As with databases, it may be much more efficient/faster to simply drop entire rules/sets/tables and then re-create them in updated form…)

Using iptables and xtables-addons – a simple example using ‘A1,CN,TR,TH’ as countries to ‘drop’

### create a new chain called 'GEO-SCRUB'
iptables -N GEO-SCRUB
### now we use '-A' to APPEND rules to the chain GEO-SCRUB
iptables -A GEO-SCRUB -m geoip --src-cc A1,CN,TR,TH -j DROP
### attach above  chain to INPUT & FORWARD
### in this case, insert as the first rule (use -A to append...)
iptables -I INPUT -j GEO-SCRUB
iptables -I FORWARD -j GEO-SCRUB

Using iptables and ipset – a simple example using ‘A1,CN,TR,TH’ as countries to ‘drop’

  1. Hmm, 1st off, there is no ‘A1’ (open proxy list) with the ‘Zone Set’ that I downloaded.
  2. Next, for each country a separate set of tables entries are needed.
  3. For the three example countries we will wind up with ~4278 table entries, i.e:
 4278 total

Automating the table creation is reasonably simple; you create your custom table and then add IP ranges to the table and then create an iptables rule to use the new table. [The example below assumes that the needed ‘zone’ files are in your current folder and that the data in the files is in the appropriate format…]

ipset -N GEO-SCRUB nethash
for IP in $(cat ; do  ipset -A GEO-SCRUB ${IP} ; done
iptables -I INPUT -m set --match-set GEO-SCRUB src -j DROP

Since the maximum table size for ipset is ~65Kb you may need to create multiple GEO-SCRUB tables and then use one very long rule or multiple rules to implement your filter, i.e. GEO-SCRUB01, GEO-SCRUB02, …

Where can you find GeoIP ‘zone files’ for use with Linux firewalls?

At this point I think that it’s reasonably clear that, at least for GeoIP filtering, using the geoip option of xtables-addons may be a simpler approach than using ipset.  So, how else might you make use of ipset?

What about non-GeoIP-centric IP space (i.e. private networks?)

In a previous, related post Bogons, Martians and other Private IP space were discussed – yep, we all encounter them somewhere…  Since this is a relatively small ‘ip set’ it makes for a nice example.  Note that ‘eth3’ is the network interface connected to ‘the world’ where Bogons, Martians, etc. should not be seen (is your network ‘leaking’ such packets?)  Note that two rules are needed to block incoming (‘src’) packets and out-going (‘dst’) packets.  Also note that if you applied these rules without specifying the interface then you would most likely block ALL TRAFFIC on your PRIVATE IP SPACE, INTERNAL NETWORK…

ipset -N BOGONS nethash
ipset --add BOGONS  # self-identification [RFC5735]                                                                                                                                        
ipset --add BOGONS  # Private-Use Networks [RFC1918]                                                                                                                                      
ipset --add BOGONS  # Link Local [RFC5735]
ipset --add BOGONS  # Private-Use Networks [RFC1918]
ipset --add BOGONS  # IANA IPv4 Special Purpose Address Registry [RFC5736]
ipset --add BOGONS   # TEST-NET-1 [RFC5737]
ipset --add BOGONS  # Private-Use Networks [RFC1918]
ipset --add BOGONS  # 6to4 Relay Anycast [RFC3068]
ipset --add BOGONS  # Network Interconnect Device Benchmark Testing [RFC5735]
ipset --add BOGONS  # TEST-NET-2 [RFC5737]
ipset --add BOGONS  # TEST-NET-3 [RFC5737]
iptables -A FORWARD -i eth3 -m set --set BOGONS src -j DROP
iptables -A FORWARD -i eth3 -m set --set BOGONS dst -j DROP
iptables -A INPUT -i eth3  -m set --set BOGONS src -j DROP
iptables -A INPUT -i eth3 -m set --set BOGONS dst -j DROP

After creating an IP set you can, of course, modify it (try ‘ipset -H’ to see command options.)  After creating this set, the ‘listing’ is:

ipset -L BOGONS

Type: nethash
References: 0
Header: hashsize: 1024 probes: 4 resize: 50

As with all such network modifications, testing is advised (in this case, working from the console is probably best since you could ‘lock’ yourself out of the system – voice of experience…) 🙂

Topics: Computer Technology, System and Network Security, Unix-Linux-Os | Comments Off on Linux GeoIP Firewall via iptables (using ipset)

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business