Xtables-Addons On Centos 6 & Iptables GeoIP Filtering
This tutorial will explain how to install aditional modules for the kernel to use with iptables rules sets (netfilter modules). Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel.
A list of all available modules can be found here and their usage here.
1 Preliminary Note
Before we start, make sure that SELinux is disabled. Run
system-config-securitylevel
or edit /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
to disable SELinux, and ...
echo 0 > /selinux/enforce
... for the change to take effect.
2 Supported Configurations
* iptables >= 1.4.3
* kernel-source >= 2.6.29
For ipset-6 you need:
* libmnl
* Linux kernel >= 2.6.35
3 Installing Packages
Note: you'll need the same version of kernel-devel package as your current kernel!
uname -r
2.6.32-71.el6.i686
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel
In this case kernel-devel-2.6.32-71.el6.i686
Install rpmforge repo for perl-Text-CSV_XS package:
rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
yum install perl-Text-CSV_XS
4 Compile xtables-addons
Get xtables-addons source and unarchive it:
wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.37/xtables-addons-1.37.tar.xz
tar xvf xtables-addons-1.37.tar.xz
Compile modules:
cd xtables-addons-1.37/
Note: You can edit the "mconfig" file to select what modules to build and install. By default, all modules are enabled.
./configure
make && make install
5 Setting Up geoip Module
Create geoip database for iptables geoip match:
cd geoip/
Using the scripts form geoip folder download and compile MaxMind GeoIPCountry database:
./xt_geoip_dl
./xt_geoip_build GeoIPCountryWhois.csv
Move the files to their default location:
mkdir -p /usr/share/xt_geoip/
cp -r {BE,LE} /usr/share/xt_geoip/
Test it like this:
iptables -I INPUT -m geoip --src-cc CN -j DROP
This will drop all incoming connections from China.
6 Links
Xtables-addons: http://xtables-addons.sourceforge.net/
Xtables-addons modules: http://xtables-addons.sourceforge.net/modules.php
Xtables-addons man page: http://dev.medozas.de/files/xtables/xtables-addons.8.html
MaxMind GeoIP: http://geolite.maxmind.com/download/geoip/database
CentOS: http://www.centos.org/ |