June 14, 2010

Country based packet filtering in RHEL 5.x

Filed under: Messaging, Redhat/Fedora, Zimbra, linux — morgan @ 23:51

This is adapted from the Debian instructions found here:
http://www.debian-administration.org/articles/518

install redhat source repository and yum-utils
http://www.cyberciti.biz/faq/yum-download-source-packages-from-rhn

# vi /etc/yum.repos.d/srpm.repo
[rhel-src]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# yum install yum-utils
# mkdir /usr/src/redhat

get kernel source.

# yumdownloader --source kernel-2.6.18
# tar xfj /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2 -C /usr/src

get iptables source

# yumdownloader --source iptables
# tar xfj /usr/src/redhat/SOURCES/iptables-1.3.5.tar.bz2 -C /usr/src

get patch-o-matic—we will use it to patch iptables and the kernel.

# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2
# tar xjf patch-o-matic-ng-20070414.tar.bz2

get the geoip patchlet:

# wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz
# tar xfz geoip.tar.gz -C patch-o-matic-ng-20070414/patchlets

Apply the geoip patchlet

# cd patch-o-matic-ng-20070414
# KERNEL_DIR=/usr/src/linux-2.6.18/ IPTABLES_DIR=/usr/src/iptables-1.3.5/ ./runme geoip

Loading patchlet definitions.................. done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.18, /usr/src/linux-2.6.18/

Iptables: 1.3.5, /usr/src/iptables-1.3.5
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing geoip... not applied
The geoip patch:
   Author: Samuel Jean ; Nicolas Bouliane 
   Status: Stable

This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)

        [!]   --dst-cc, --destination-country country[,country,country,...]

                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] ?
Answer one of the following:
  T to test that the patch will apply cleanly
  Y to apply patch
  N to skip this patch
  F to apply patch even if test fails
  A to restart patch-o-matic in apply mode
  R to restart patch-o-matic in REVERSE mode
  B to walk back one patch in the list
  W to walk forward one patch in the list
  Q to quit immediately
  ? for help
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] T
Patch geoip applies cleanly
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

Recompile the kernel image (if there are non-modular netfilter modules).
Recompile the netfilter kernel modules.
Recompile the iptables binaries.
#

Build the kernel module

# cd /usr/src/linux-2.6.18
# make oldconfig
…
    geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW) m
…
# make modules_prepare


Compile just the netfilter modules

# make -C $(pwd) M=net/ipv4/netfilter/ modules
# cp -i net/ipv4/netfilter/ipt_geoip.ko /lib/modules/2.6.18-128.1.10.el5/kernel/net/ipv4/netfilter/

Build the iptables libipt_geoip.so library

# cd /usr/src/iptables-1.3.5
# make KERNEL_DIR=/usr/src/linux-2.6.18/ extensions/libipt_geoip.so
Making dependencies: please wait...
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.18//include -Iinclude/ -DIPTABLES_VERSION=\"1.3.5\"  -fPIC -o extensions/libipt_geoip_sh.o -c extensions/libipt_geoip.c
ld -shared  -o extensions/libipt_geoip.so extensions/libipt_geoip_sh.o
# cp extensions/libipt_geoip.so /lib64/iptables

Insert the module into the kernel

# depmod
# modprobe ipt_geoip


Todo: load the module on boot?

Create the IP-country mapping

# wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
# unzip  GeoIPCountryCSV.zip
# wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
# tar tzf csv2bin-20041103.tar.gz
# cd csv2bin
# make
# ./csv2bin ../GeoIPCountryWhois.csv
# mkdir /var/geoip
# mv geoipdb* /var/geoip

Test
World Cup mania means we happened to have a colleague in South Africa so we blocked the whole country on a test server and had him attempt to connect to https:

# /sbin/iptables -A INPUT -p tcp --dport 443 -m geoip --src-cc ZA -j REJECT

Powered by WordPress