Search

Recent Posts

Tags


« | Main | »

Linux iptables xtables-addons GeoIP examples

By Dale Reagan | September 19, 2011

Some simple examples using xtables-addons GeoIP rules.  See other firewall-related posts for iptables background information and additional examples using custom chains with iptables.  The examples below require that iptables and  xtables-addons be installed and you must generate the ‘packed’ lookup-tables from GeoIP data-sets.  These rules were tested using Fedora 13 (Red Hat Linux) with xtables-addons and appropriate GeoIP data sets – you may need additional steps or alternate approaches with other Unix/Linux versions…

Block a single country (just drop the packets)

iptables -I INPUT -m geoip --src-cc CN -j DROP

Only Allow a single country or GeoIP location using ‘negation’ **

iptables -I INPUT -m geoip ! --src-cc US -j DROP

Block multiple countries with a single rule

iptables -I INPUT -m geoip --src-cc CN,KR,UA,RU -j DROP

Log & drop connections from a single country (‘\’ = should be one long line…)

iptables -I INPUT -m geoip --src-cc CN -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban CN: '
iptables -I INPUT -m geoip --src-cc CN -j DROP

Log & drop packets from multiple countries

iptables -I INPUT -m geoip --src-cc CN,KR,UA,RU \
 -m limit --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban: '
iptables -I INPUT -m geoip --src-cc CN,KR,UA,RU -j DROP

Log & drop connections from a single country using a custom CHAIN

iptables -A GEO-SCRUB -m geoip --src-cc CN -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban CN: '
iptables -A GEO-SCRUB \ -m geoip --src-cc CN -j DROP

Log & drop packets from multiple countries using a custom CHAIN

 iptables -A GEO-SCRUB -m geoip --src-cc CN,KR,UA,RU \
  -m limit --limit 5/minute -j LOG --log-level 7 \
  --log-prefix 'GeoIP FW Ban: '
 iptables -A GEO-SCRUB -m geoip --src-cc CN,KR,UA,RU -j DROP

The disadvantages that I see for using one rule to block multiple countries are:

Another approach might be to Log ALL drop-list Geo-Locations and then use a single rule to drop the packets, i.e.

iptables -A GEO-SCRUB -m geoip --src-cc CN -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban CN: '
iptables -A GEO-SCRUB -m geoip --src-cc KR -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban KR: '
iptables -A GEO-SCRUB -m geoip --src-cc UA -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban UA: '
iptables -A GEO-SCRUB -m geoip --src-cc RU -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban RU: '
iptables -A GEO-SCRUB -m geoip --src-cc PL -m limit \
 --limit 5/minute -j LOG --log-level 7 \
 --log-prefix 'GeoIP FW Ban PL: '
iptables -I INPUT -m geoip --src-cc CN,KR,UA,RU -j DROP

Be consistent with your approach – firewall rule-sets can quickly become ‘monsters’ so the simplest approach is probably best:

  1. if you have only a few rules then add them as needed
  2. using a custom CHAIN (i.e. GEO-SCRUB) allows you to add the new chain to any desired filter.

** For all such access control solutions you need to keep in mind that there is not a 100% solution – GeoIP data changes occur frequently so an IP in country X today might be in country Y tomorrow.  Also, there is nothing to prevent network access from non-blocked IP space (i.e. the use of proxies from an allowed location.)  As always, review your system logs for possible issues; a defense in depth posture is strongly encouraged.

Topics: Computer Technology, Problem Solving, System and Network Security, Web Technologies | Comments Off on Linux iptables xtables-addons GeoIP examples

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________