DocHive

Jun 16, 2019

Xtables-addon

*Warning: Unfortunately, due to this is an old version of xaddon, it only works for kernel-devel, instead of kernel-ml-devel. And obviously, on CentOS you cannot install xtables-addon 3.x which requires iptables 1.6. So until now the latest kernel version it supports is 3.10.0-957.12.2.el7.x86_64.

Checking kernel

1
uname -r

Make sure you are using kernel 3.10.0-957.12.2, or it won’t work.

Install the required packages.

1
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

Download and compile xtables-addon

1
2
3
4
5
6
wget http://ufpr.dl.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.14.tar.xz
tar -xvf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14
./configure
sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild
make && make install

Then, the key step, and the step I could not find in any other tutorial (The previous solution is outdated and could not be used)

1
2
mkdir -p /usr/share/xt_geoip
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

Now you finished the setup!

Also let me show you how to use it. The format is:

1
iptables -m geoip –src-cc country[,country…] –dst-cc country[,country…]

The country uses two-letter ISO3166 code standard. For example:

Blocking all incoming traffic from China and India: iptables -I INPUT -m geoip --src-cc IN,US -j DROP
Blocking all incoming traffic from countries except the US: iptables -I INPUT -m geoip ! --src-cc US -j DROP

Credits

https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/
https://legacy-geoip-csv.ufficyo.com/
https://www.isthnew.com/archives/centos7-bbr.html
https://documentacoes.wordpress.com/2018/04/03/install-geoip-iptables-module-centos-7/

OLDER > < NEWER