I wanted to block all incoming traffic from untrusted countries to avoid the meanwhile excessive hacking attempts from Eastern Europe, China, Russia, etc.
Instructions that I found online were somewhat outdated, so they did not work, but contained valuable pointers into the right direction.
In principle, itworks as follows:
- use iptables and the geoip module, which requires installation
- downloads a database that maps IP addresses to countries (maxmind)
- convert that database, so it is accessible by iptables geoip
Quite simple, isnt't it?
And this is my detailed procedure:
apt install geoipupdate: this tool will download maxmind's geiop database
sign up at https://dev.maxmind.com/, and generate an API key - it's free for "fair use"
after you have created the API key, download the generated configuration file for geoipupdate, and replace /etc/GeoIP.conf with it.
if you run geoipupdate now, you will find the downloaded databases in /var/lib/GeoIP/
mkdir /etc/geoip: this is where the necessary scripts and tool for converting the database go
get the release tarball from https://github.com/maxmind/libmaxminddb, so you can build libmaxminddb, which is needed by the converter. I unpacked it into /etc/geoip/libmaxminddb.
cd /etc/geoip/libmaxminddb && ./configure && make && make check
mkdir /etc/geoip/maxminddb-dump-country: this is where the exporter goes
cd /etc/geoip/maxminddb-dump-country && git clone https://github.com/vel21ripn/maxminddb-dump-country
add the following options to gcc in Makefile:
-I ../libmaxminddb/libmaxminddb-1.9.1/include -L ../libmaxminddb/libmaxminddb-1.9.1/src/.libs/
make
mkdir /usr/share/xt_geoip: do not change this patch, it is hardcoded into the geoip module
run the converter: maxminddb-dump-country/xt_geoip_build_maxmind -v -o /usr/share/xt_geoip geoip-db/GeoLite2-Country.mmdb
now you will have all the necessary country mappings in /usr/share/xt_geoip
install the geoip module: apt install xtables-addons-common
create a script /etc/geoip/block.sh. Mine contains something like this:
# accept local
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT
iptables -I INPUT 2 -s 192.168.178.0/24 -j ACCEPT
# drop "untrusted" countries
iptables -I INPUT 5 -m state --state NEW -m geoip ! --source-country AT,FR,DE,GB -j DROP
My "disturbance" have gone down significantly (> 90%) since I applied this procedure.
No comments:
Post a Comment