Use GeoIP database file with iptables

extasic · 10-16-2008, 02:04 AM

Hi,

mail ssh server, mailserver, webserver and ftp server are being attacked from Vietnam, China, Russia and other countries just like them.

Because nobody should ever be allowed to log on from that location, I want to block those using iptables. First I only want to block the SSH port.

I got the following file that contains IP ranges of certain countries. I belive this really could work because all of the last attacking IPs were listed there.

I tried to use my rudimental Bash knowledge to create a shell script to parse that file, but my first problem is that the IP adresses are in decimal format, just like "1346801663". How do I convert this to a "regular" ip?

My second questions - what would you propose how do I get these values inside iptables? What command can I use best?

Thank you in advance!

win32sux · 10-16-2008, 03:14 AM

Download this file.

It's a CSV file which gives you both Internet standard and network formats.

Extract the standard format ranges you want using something like:

Code:

zcat GeoIPCountryCSV.zip | grep 'Vietnam\|China\|Russia' | \
awk -F',' '{print $1 $2}' | awk -F'\"\"' '{print $1 "-" $2}' | awk -F'\"' '{print $2}' > bad_ips.txt

Now you've got a bad_ips.txt file with all the ranges you want to block in it (one range per line).

Now create an iptables chain to use it in:

Code:

iptables -N BAD_IPS

Now use a for loop to stick the rules in the chain:

Code:

for i in `cat bad_ips.txt`; do iptables -A BAD_IPS -m iprange --src-range $i -j DROP; done

That loop might take a while to complete depending on your CPU and how many ranges are in the bad_ips.txt file.

Now you can send packets into that chain from wherever you want. Make sure you don't send packets in states RELATED or ESTABLISHED into that chain, or else you might run into performance issues. In other words, I suggest something like this:

Code:

iptables -P INPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -j BAD_IPS

iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT

PS: Yes, I know the range extraction script I put together is really ugly (I suck at scripting).

But I can assure it works because I tested it before posting.

mlnutt · 10-16-2008, 11:53 AM

I've been working on a program to generate iptables scripts and/or startup files based on country and registry codes. The program works with cvs files from "maxmind" and "software77" (both of which are update monthly).

USAGE: ipfind (-r REGISTRY... | -c CODE... | -f DOTTED_QUAD...) [-m | -M] [-i] [-I[CHAIN_NAME]] [-pCHAIN_NAME ] [-nCHAIN_NAME] [-aACTION]] [-L] [-v]
-r, --registry filter using registry name
-c, --ctry filter using 2 character country codes
-f, --find find IP's range block
-m, --cidr print cidr instead of netmask (default)
-M, --netmask print netmask instead of cidr
-i, --iptables output iptables startup file format
-I, --iptables_cmd output iptables configuration script using CHAIN_NAME prefix
-p, --prior iptables configuration script prior chain name (default "INPUT")
-n, --next iptables configuration script next chain name (default "ACCEPT")
-a, --action iptables configuration script action (default "DROP")
-L, --nolog iptables configuration script no logging
--maxmind use the maxmind csv file (default)
--webnet77 use the webnet77 csv file
-v, --verbose display verbose output

EXAMPLE: ipfind -c CN TW KR -M
EXAMPLE: ipfind --webnet77 -r RIPE
EXAMPLE: ipfind -c US -IUSA
EXAMPLE: ipfind -f 207.69.188.171 -v

The script I currently use is:

#!/bin/bash

./ipfind -r AFRINIC LACNIC -c TW KR CN HK RU UA AE CZ JP LV PK PL ES PT -i -nMISC_CHAIN > iptables.startup

This script generates a file that only requires me to insert a few custom rules at the beginning and end (which I keep in a separate file for convenience).

The program is functional, though it is a work in progress at my leisure. There are features I still wish to implement and some of the code needs cleaning up. I use it monthly to regenerate my iptables script and am very happy with it. If there is some interest in this project I could post the code somewhere or deliver it to individuals. Note there are iptables' modules that you can compile into the kernel to do this very same task. I chose not to use them as I don't want to recompile the kernel for these module's updates. My iptables script contains about 23,500+ rules for dropping unwanted IPs. I don't notice any performance degradation.

The output is of this nature:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:AFRINIC_CHAIN - [0:0]
:AFRINIC_DROP - [0:0]
:LACNIC_CHAIN - [0:0]
:LACNIC_DROP - [0:0]
:TW_CHAIN - [0:0]
:TW_DROP - [0:0]
:KR_CHAIN - [0:0]
:KR_DROP - [0:0]
...snip...
-A AFRINIC_CHAIN -s 12.166.96.32/27 -j AFRINIC_DROP
-A AFRINIC_CHAIN -s 41.0.0.0/11 -j AFRINIC_DROP
-A AFRINIC_CHAIN -s 41.144.0.0/13 -j AFRINIC_DROP
...snip...
-A AFRINIC_CHAIN -j LACNIC_CHAIN
-A AFRINIC_DROP -j LOG --log-prefix "AFRINIC_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A AFRINIC_DROP -j DROP
-A LACNIC_CHAIN -s 4.18.32.72/29 -j LACNIC_DROP
-A LACNIC_CHAIN -s 4.18.66.0/23 -j LACNIC_DROP
...snip...
-A LACNIC_CHAIN -j TW_CHAIN
-A LACNIC_DROP -j LOG --log-prefix "LACNIC_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A LACNIC_DROP -j DROP
-A TW_CHAIN -s 58.86.0.0/16 -j TW_DROP
-A TW_CHAIN -s 58.99.0.0/17 -j TW_DROP
...snip...
-A TW_CHAIN -j KR_CHAIN
-A TW_DROP -j LOG --log-prefix "TW_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A TW_DROP -j DROP
-A KR_CHAIN -s 58.29.0.0/16 -j KR_DROP
-A KR_CHAIN -s 58.65.64.0/18 -j KR_DROP
...snip..