I wanted to block all incoming traffic from untrusted countries to avoid the meanwhile excessive hacking attempts from Eastern Europe, China, Russia, etc.
Instructions that I found online were somewhat outdated, so they did not work, but contained valuable pointers into the right direction.
In principle, itworks as follows:
- use iptables and the geoip module, which requires installation
- downloads a database that maps IP addresses to countries (maxmind)
- convert that database, so it is accessible by iptables geoip
Quite simple, isnt't it?
And this is my detailed procedure:
apt install geoipupdate: this tool will download maxmind's geiop database
sign up at https://dev.maxmind.com/, and generate an API key - it's free for "fair use"
after you have created the API key, download the generated configuration file for geoipupdate, and replace /etc/GeoIP.conf with it.
if you run geoipupdate now, you will find the downloaded databases in /var/lib/GeoIP/
mkdir /etc/geoip: this is where the necessary scripts and tool for converting the database go
get the release tarball from https://github.com/maxmind/libmaxminddb, so you can build libmaxminddb, which is needed by the converter. I unpacked it into /etc/geoip/libmaxminddb.
cd /etc/geoip/libmaxminddb && ./configure && make && make check
mkdir /etc/geoip/maxminddb-dump-country: this is where the exporter goes
cd /etc/geoip/maxminddb-dump-country && git clone https://github.com/vel21ripn/maxminddb-dump-country
add the following options to gcc in Makefile:
-I ../libmaxminddb/libmaxminddb-1.9.1/include -L ../libmaxminddb/libmaxminddb-1.9.1/src/.libs/
make
mkdir /usr/share/xt_geoip: do not change this patch, it is hardcoded into the geoip module
run the converter: maxminddb-dump-country/xt_geoip_build_maxmind -v -o /usr/share/xt_geoip geoip-db/GeoLite2-Country.mmdb
now you will have all the necessary country mappings in /usr/share/xt_geoip
install the geoip module: apt install xtables-addons-common
create a script /etc/geoip/block.sh. Mine contains something like this:
# accept local
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT
iptables -I INPUT 2 -s 192.168.178.0/24 -j ACCEPT
# drop "untrusted" countries
iptables -I INPUT 5 -m state --state NEW -m geoip ! --source-country AT,FR,DE,GB -j DROP
Run block.sh.
If you have no persistent iptables rules (I don't), add block.sh to your crontab to run at boot time.
I also created a script /etc/geoip/update.sh, which runs
/usr/bin/geoipupdate
maxminddb-dump-country/xt_geoip_build_maxmind -o /usr/share/xt_geoip geoip-db/GeoLite2-Country.mmdb
Finally, add update.sh to your crontab and have it run regularly but not too often. Fair Use, remember. Maxmind update their database twice a week.
Please note that this kind of block is not 100%. Some unwanted packets might slip through, so you better have other security measures in place. Also, it may block IP addresses that you did not want to block. These are rare cases, but it may happen.
My "disturbance" have gone down significantly (> 90%) since I applied this procedure.