Hello, I wanted to add geoip iptables module to my
dedicated server (running Debian) at the same time as upgrading my kernel. so I thought I'd share how I did it.
If you haven't got these packages installed, then you'll need to do this first
Code:
$ apt-get install kernel-package libncurses5-dev build-essential bzip2 unzip
First off I downloaded the new kernel from
www.kernel.org, extracted it and setup /usr/src/linux
Code:
$ cd /usr/src
$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.bz2
$ tar jxf linux-2.6.24.tar.bz2
$ ln -s /usr/src/linux-2.6.24 linux
$ cd ./linux
At this point I copied over my current config to the new kernel from /proc/config.gz and updated the new .config for the newer kernel.
Code:
$ zcat /proc/config.gz > .config
$ make oldconfig
The next part is to add the geoip module, so if you just want to upgrade your kernel, then you can skip until the packaging of the kernel.
I downloaded the iptables source and patch-o-matic-ng from netfilter, geoip doesn't work with iptables 1.4.0 at the moment, it will give you a segmentation fault when you try to add the rule (yeah, I found that out the hard way).
Code:
$ cd /usr/src
$ wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz2
$ wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080207.tar.bz2
$ tar jxf iptables-1.3.6.tar.bz2
$ ln -s /usr/src/iptables-1.3.6 iptables
$ tar jxf patch-o-matic-ng-20080207.tar.bz2
$ cd patch-o-matic-ng-20080207
I then added the geoip patch to my kernel and iptables (press y to apply patch)
Code:
$ ./runme --kernel-path /usr/src/linux --iptables-path /usr/src/iptables --download geoip
For kernels 2.6.22 and above it won't compile, so you need to apply a patch
Code:
$ cd /usr/src
$ wget http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz
$ gunzip geoip-match-2.6.22.patch.gz
$ cd linux
$ patch -p2 < ../geoip-match-2.6.22.patch
Now I go and configure the new section in the kernel and package it up for debian.
Code:
$ cd /usr/src/linux
$ make oldconfig
geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW)
enter 'm'
Code:
$ make-kpkg --initrd kernel_image
Now go for a cup of tea and watch some telly...
This put a debian package in /usr/src which can be installed with dpkg
Code:
$ dpkg --install /usr/src/linux-image-2.6.24_2.6.24-10.00.Custom_amd64.deb
This will edit your grub config, mine was /boot/grub/menu.lst. So that if the kernel fails to boot, I edited grub so that it will fallback onto my current kernel (2.6.18-5-amd64). Change the relavent parts to your grub config (I removed the single user mode entries), the important parts are in red.
Code:
default saved
timeout 3
fallback 1
title Debian GNU/Linux, kernel 2.6.24
root (hd0,0)
kernel /boot/vmlinuz-2.6.24 root=/dev/sda1 ro panic=5
initrd /boot/initrd.img-2.6.24
savedefault fallback
title Debian GNU/Linux, kernel 2.6.18-5-amd64
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-5-amd64 root=/dev/sda1 ro
initrd /boot/initrd.img-2.6.18-5-amd64
savedefault
Then set the first kernel to boot
Code:
$ grub-set-default 0
What this does is set the
saved value as 0 so that the first kernel boots, if the kernel has a kernel panic it will display it for 5 seconds, then set the
saved value as 1, so when it reboots it boots up the second kernel. You can find out the default by looking at /boot/grub/default, don't edit this file though.
Now I rebooted to load up the new kernel
Once the server was back up I can confirm that the new kernel is running with uname
Next I compiled iptables and the module and copied to it's correct location (it may also be /usr/local/lib/iptables).
Code:
$ cd /usr/src/iptables
$ make && make install
The geoip module uses a database to know where the packets are coming from, to build an up-to-date one I got a copy of the csv file from maxmind and built it as a binary and index file.
Code:
$ cd /usr/src
$ wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
$ unzip GeoIPCountryCSV.zip
$ wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
$ tar zxf csv2bin-20041103.tar.gz
$ cd csv2bin/
$ make
$ ./csv2bin ../GeoIPCountryWhois.csv
$ mkdir -p /var/geoip
$ mv geoipdb.* /var/geoip
Now I'm ready to load in the module and add block everyone but the UK from ssh access...
Code:
$ depmod
$ modprobe ipt_geoip
$ iptables -A INPUT -p tcp --dport 22 -m geoip ! --src-cc GB -j REJECT
You can view more options with --help on the geoip module
Code:
$ iptables -m geoip --help
To make the module load on reboot, add "ipt_geoip" to /etc/modukes.
Code:
echo "ipt_geoip" >> /etc/modules
Now some people choose to also use geoip to block out certain countries from sending email's to the server as a answer to a low level spam detection. However this is sometimes seen as
racist routing, so my advise would be if you have a genuine reason to do this, like you never get any mail from Argentina, Brazil, China, Japan, Korea, Malaysia, Nigeria, Russia, Singapore, Taiwan or Thailand apart from spam and never plan to get any lejit email, then go ahead...
Code:
$ iptables -A INPUT -p tcp --dport 25 -m geoip --src-cc AR,BR,CN,JP,KR,MY,NG,RU,SG,TW,TH -j REJECT
Now I actually found that the 2.6.24 kernel didn't work, I'm not sure why as I can't see what the actual kernel panic is, it could be down to some daft config setting that has been replaced with something else or has moved. So in order to get it working with the current kernel you can compile just the module for the current kernel and copy it over manually.
Code:
$ apt-get source linux-source-2.6.18
$ tar jxf linux-source-2.6.18.tar.bz2 -C /usr/src
$ cd /usr/src
$ rm linux
$ ln -s /usr/src/linux-source-2.6.18 linix
$ cd patch-o-matic-ng-20080207
$ ./runme --kernel-path /usr/src/linux --iptables-path /usr/src/iptables --download geoip
$ cd ../linux
$ make oldconfig
$ make modules_prepare
$ make -C $(pwd) M=net/ipv4/netfilter/ modules
$ cp net/ipv4/netfilter/ipt_geoip.ko /lib/modules/2.6.18-5-amd64/kernel/net/ipv4/netfilter/
Then build iptables, the module and the database the same as above.
I'm knackered now, so time for some sleep methinks....gonna be in the shit with the missus for staying up too late now
