Hi
Specs in subject line: CentOS 6.X all latest patches), iptables 1.47, Apache2.2
I use the Geolite legacy databases together with iptables 1.47 to filter traffic for a variety of ports and only allow .AU traffic to have access.
Maxmind (https://dev.maxmind.com/geoip/geoip2/geolite2/) changed the default DB to the latest version which is GeoLite2, this leaves all users in need of the old Geolite Legacy database in the dark, they cannot update.
If I download a later version of xtables it will complain that it requires iptable>1.6 which I do not think I can get going on CentOS 6.X.
Is there a way that I can convert Geolite2 CSV files to Geolite Legacy CSV Files and then compile those into BE/LE?
Are there any other ways I can use Geolite2 on a CentOS 6.X system?
Does anyone have other ideas how to tackle this?
(this made me really sleep well!)
thanks Jobst
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Hi
Specs in subject line: CentOS 6.X all latest patches), iptables 1.47, Apache2.2
I use the Geolite legacy databases together with iptables 1.47 to filter traffic for a variety of ports and only allow .AU traffic to have access.
I use ipdeny's aggregated country lists to do the same thing:
http://www.ipdeny.com/ipblocks/data/aggregated/
I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this.
Maxmind (https://dev.maxmind.com/geoip/geoip2/geolite2/) changed the default DB to the latest version which is GeoLite2, this leaves all users in need of the old Geolite Legacy database in the dark, they cannot update.
If I download a later version of xtables it will complain that it requires iptable>1.6 which I do not think I can get going on CentOS 6.X.
Is there a way that I can convert Geolite2 CSV files to Geolite Legacy CSV Files and then compile those into BE/LE?
Are there any other ways I can use Geolite2 on a CentOS 6.X system?
Does anyone have other ideas how to tackle this?
(this made me really sleep well!)
thanks Jobst
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Hi
I use ipdeny's aggregated country lists to do the same thing:
http://www.ipdeny.com/ipblocks/data/aggregated/
I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this.
Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script?
thx Jobst
On 15/01/2019 01:29, Jobst Schmalenbach wrote:
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Hi
I use ipdeny's aggregated country lists to do the same thing:
http://www.ipdeny.com/ipblocks/data/aggregated/
I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this.
Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script?
thx Jobst
Below is my script for creating/updating an ipset to block my top 10 undesirable/abusive countries. It runs as a cron job up startup to initially populate it and again every X hours to update it on my EdgeRouter firewall device.
It can be relatively slow process creating very large sets, so we create a temp set and then swap the contents of the live set with the temp set and finally delete the temp set. This is a more efficient way of updating an existing set.
Once the ipset has been created, you can create rules in iptables to match against that set using -m set --match-set SETNAME.
Hope that helps
-- Phil
CountryList="cn ru ua kp kr br ro tr vn in" if [ -e /tmp/countries.txt ]; then rm /tmp/countries.txt fi
for country in $CountryList; do curl -o /tmp/$country.txt http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone cat /tmp/$country.txt >> /tmp/countries.txt done
getnetblocks() { cat <<EOF # Generated by ipset -N geotmp nethash --hashsize 1024 --probes 4 --resize 20 EOF cat /tmp/countries.txt|egrep '^[0-9]'|egrep '/' |sed -e "s/^/-A geotmp /" } getnetblocks > /tmp/cnblock.txt sudo ipset -! -R < /tmp/cnblock.txt sudo ipset -W geotmp COUNTRIES-BLOCK sudo ipset -X geotmp
rm /tmp/cnblock.txt
On Tue, Jan 15, 2019 at 07:43:02AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 15/01/2019 01:29, Jobst Schmalenbach wrote:
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Below is my script for creating/updating an ipset to block my top 10 Hope that helps
Thanks, it did, cleared up conflicting info I found on the Internet.
I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ). There are even more conflicting ideas about how to do this, but I figured it out.
Also I cannot see a difference in speed between using (maxmind)
-A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT
and (ipdeny)
-A filter_countries -m set --set au.geoblock src -j ACCEPT
which is really good!
Jobst
On 16/01/2019 02:04, Jobst Schmalenbach wrote:
On Tue, Jan 15, 2019 at 07:43:02AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 15/01/2019 01:29, Jobst Schmalenbach wrote:
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@elrepo.org) wrote:
On 14/01/2019 07:09, Jobst Schmalenbach wrote:
Below is my script for creating/updating an ipset to block my top 10 Hope that helps
Thanks, it did, cleared up conflicting info I found on the Internet.
Great.
I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ). There are even more conflicting ideas about how to do this, but I figured it out.
How you handle that will depend on the default policy of the chain.
I would use 2 rules - the first to accept connections from AU,NZ, and a second rule subsequently DROPing all other connections, as this will work regardless of the default policy of the chain and the intention of the rules is clear to anyone reading them.
Also I cannot see a difference in speed between using (maxmind)
-A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT
and (ipdeny)
-A filter_countries -m set --set au.geoblock src -j ACCEPT
which is really good!
Yes, ipset is really efficient. My top 10 bad countries set above contains over 28,000 individual netblocks and runs on my EdgeRouter Lite, with a 500MHz embedded processor. The device is capable of Gigabit throughput, and I see no impact upon throughput with multiple iptables rules, many based on large ipsets.
Jobst
--On Monday, January 14, 2019 7:29 AM +0000 Phil Perry pperry@elrepo.org wrote:
I use ipdeny's aggregated country lists to do the same thing:
http://www.ipdeny.com/ipblocks/data/aggregated/
I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this.
CentOS 7 uses firewalld which has direct support for ipsets in XML form. Hopefully the site will soon supply the data in that format. (But it's not hard to generate the files from their format.)
Note that a zip file of all the individual country files can be downloaded here:
-
Jobst Schmalenbach -
Kenneth Porter -
Phil Perry