How to block network traffic in Linux based on country location

How to block network traffic in Linux based on country location

As a system administrator who maintains a Linux production server, you may encounter the following situations: You need to selectively block or allow network traffic to pass through based on the geographical location. For example, you are experiencing a DoS attack initiated by an IP address registered in a specific country; or you want to block SSH login requests from unknown countries based on security considerations; or your company has the permission to distribute some online videos, which must be legally issued only in a specific country; or because of the company's policy, you need to prevent a local host from uploading files to any non-US remote cloud storage.

In all the above cases, you need to set up a firewall to filter traffic based on the National location. There are several ways to do this. One of them is that you can use TCP wrappers to set conditional blocking for an application (such as SSH, NFS, and httpd. However, the disadvantage is that the application you want to protect must be built in a way that supports TCP wrappers. In addition, TCP wrappers is not always available on various platforms (for example, Arch Linux does not support it ). Another method is to combine the country-based GeoIP information, set ipset, and apply it to iptables rules. The latter method looks more promising, because iptables-based filters are unrelated to applications and easy to set.

In this tutorial, I will show another GeoIP Filter Based on iptables, which is implemented by xtables-addons. For those who are not familiar with it, xtables-addons is a series of extensions used for netfilter/iptables. A module named xt_geoip included in xtables-addons extends the netfilter/iptables function, so that it can filter based on the traffic from or to the country of the flow, IP mask (NAT) or packet loss. If you want to use xt_geoip, you do not have to recompile the kernel or iptables. You only need to use the current kernel to build the environment (/lib/modules/'uname-R'/build) build xtables-addons in the form of modules. At the same time, no restart is required. Xt_geoip can be used with iptables as long as you build and install xtables-addons.

As for the comparison between xt_geoip and ipset, The xtables-addons official website says this: Compared with ipset, xt_geoip outperforms memory usage, but for matching speed, hash-based ipset may be more advantageous.

In the remaining part of the tutorial, I will show you how to use iptables/xt_geoip to block network traffic based on the traffic source or Inbound country.

 

Install xtables-addons in Linux

The following describes how to compile and install xtables-addons on various Linux platforms.

To compile xtables-addons, you must first install some dependent software packages.

 

Install dependencies in Debian, Ubuntu, or Linux Mint

1. $ sudoapt-get install iptables-dev xtables-addons-common libtext-csv-xs-perl pkg-config

 

Install dependencies in CentOS, RHEL, or Fedora

CentOS/RHEL 6 requires an EPEL repository (required for perl-Text-CSV_XS) in advance ).

1. $ sudoyum install gcc-c++make automake kernel-devel-`uname -r`wget unzip iptables-devel perl-Text-CSV_XS

 

Compile and install xtables-addons

Slavextables-addonsDownload the source code package from the official website, and then compile and install it according to the following instructions.

1. $ wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.10.tar.xz
2. $ tar xf xtables-addons-2.10.tar.xz
3. $ cd xtables-addons-2.10
4. $ ./configure
5. $ make
6. $ sudomake install

Note that for Red Hat-based systems (CentOS, RHEL, and Fedora), SELinux is enabled by default, so it is necessary to adjust the SELinux policy as follows. Otherwise, SELinux will prevent iptables from loading the xt_geoip module.

1. $ sudo chcon -vR --user=system_u /lib/modules/$(uname-r)/extra/*.ko
2. $ sudo chcon -vR --type=lib_t /lib64/xtables/*.so

 

Install the GeoIP database for xtables-addons

The next step is to install the GeoIP database, which will be used by xt_geoip to query the ing between the IP address and the country and region. It is convenient,xtables-addonsThe source code package contains two help scripts, which are used to download the GeoIP database from MaxMind and convert it into a binary format file that can be recognized by xt_geoip; they can be found in the geoip directory in the source code package. Follow the instructions below to build and install the GeoIP database in your system.

1. $ cd geoip
2. $ ./xt_geoip_dl
3. $ ./xt_geoip_build GeoIPCountryWhois.csv
4. $ sudomkdir-p /usr/share/xt_geoip
5. $ sudocp-r {BE,LE}/usr/share/xt_geoip

According to MaxMind, their GeoIP database can identify the country corresponding to the ip address with 99.8% accuracy, and the database will be updated every month. To make the locally installed GeoIP data up-to-date, you may need to set up a cron job executed on a monthly basis to update your local GeoIP database frequently.

 

Block network traffic from or to a country

Once the xt_geoip module and the GeoIP database are installed, you can use the geoip matching option in the iptabels command.

1. $ sudo iptables -m geoip --src-cc country[,country...]--dst-cc country[,country...]

The countries where you want to block traffic use the iso00006 code with 2 letters (for example, US (US), CN (China), and IN (India), FR (France )).

For example, if you want to block traffic from Yemen (YE) and Zambia (ZM), the following iptabels command can achieve this.

1. $ sudo iptables -I INPUT -m geoip --src-cc YE,ZM -j DROP

If you want to block traffic to China (CN), run the following command:

1. $ sudo iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

You can also--src-ccOr--dst-ccOption prefix!To achieve the opposite purpose:

If you want to block traffic from all non-US sources on your server, you can run:

1. $ sudo iptables -I INPUT -m geoip !--src-cc US -j DROP

 

For users using Firewall-cmd

Some release versions such as CentOS/RHEL7 or Fedora have replaced iptables with firewalld as the default Firewall Service. In these systems, you can use firewall-cmd to block traffic similar to xt_geoip. Using the firewall-cmd command, the preceding three examples can be rewritten:

1. $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0-m geoip --src-cc YE,ZM -j DROP
2. $ sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0-m geoip --dst-cc CN -j DROP
3. $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0-m geoip !--src-cc US -j DROP

 

Summary

In this tutorial, I show how to use iptables/xt_geoip to easily block network traffic based on the traffic source or Inbound country. If you have such requirements, deploying it to your firewall system can make it a practical method. As a final warning, I should remind you that it is not always foolproof to prohibit traffic from a specific country through GeoIP-based traffic filtering on your server. The GeoIP database itself is not very accurate or complete, and the source or destination of traffic can be easily spoofed by Using VPN, Tor or any other vulnerable Relay host. Filters Based on geographical locations may even block legitimate network traffic that shouldn't have been blocked. Consider this restriction carefully before you decide to deploy it to your production environment.

Via: http://xmodulo.com/block-network-traffic-by-country-linux.html

Author: Dan Nanni Translator: FSSlc Proofreader: wxy

This article was originally compiled by LCTT and launched with the honor of Linux in China

This article permanently updates the link address: