Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ According to the national position on how to block traffic in Linux     - Spring-depth understanding of the various annotations (Programming)

- Via Twitter how open source library to be used anywhere Emoji emoticons (Linux)

- Linux automatically install service components and optimize the kernel parameters (Linux)

- RM Environment Database RMAN Backup Strategy Formulation (Database)

- MySQL concat function is SQL injection (Linux)

- CentOS 6 kernel upgrade to Kernel 3.x (Linux)

- Export error: ORA-04063: package body dmsys dbms dm model exp has error (Database)

- Linux development management utility command (Linux)

- A summary of Java multi-threaded programming - acquaintance multithreading (Programming)

- Linux how to view the graphics models notebook (Linux)

- How to install Perl modules from CPAN (Linux)

- Mac OS X system setup Google Go language development environment configuration tool Sublime Text 2 (Linux)

- Oracle 11g new features of the collection of multi-column statistics (Database)

- Linux upgrade GCC 4.8.1 clear and concise tutorials (Ubuntu 12.04 64-bit version as an example) (Linux)

- Shell generated using automated configuration script Orabbix (Database)

- Nginx configuration support f4v video format player (Server)

- Oracle 10046 Event (Database)

- Hadoop2.0 configuration yarn success (Server)

- Ubuntu batch scp to copy files without password (Linux)

- Hadoop2.4.0 Eclipse plug-in making (Server)

  According to the national position on how to block traffic in Linux
  Add Date : 2018-11-21      
  As a production server maintenance Linux system administrator, you may encounter some situations: you need to location, selectively block or allow network traffic to pass. For example, you are experiencing once by registered IP in a particular country launched DoS attacks; or safety reasons, you want to block SSH login request from an unknown country; or if your company has distribution rights for certain online video, it requires that only lawfully issued in a particular country; or is it due to the company's policy, you need to prevent a local host to upload files to any non-American remote cloud storage.

All of the above situations need to set your firewall to filter traffic based on having a country location features. There are several ways to do this, one of which is that you can use TCP wrappers to set the conditions for an obstruction applications (such as SSH, NFS, httpd). But its drawback is that the application you want to protect must be constructed in a manner to support TCP wrappers. In addition, TCP wrappers are not always able to get to all platforms (for example, Arch Linux to give up support for it). Another way is to combine information based on GeoIP country setting ipset, rule and apply it to iptables in. The latter approach looks more promising, because iptables-based filters are application independent, and easy to set up.

In this tutorial, I will show another based on GeoIP filter iptables, which consists xtables-addons to achieve. For those not familiar with its people, xtables-addons is a set of extensions for netfilter / iptables in. A module included in xtables-addons are called xt_geoip extended functionality netfilter / iptables so that it can flow from the country or the flow to be filtered, IP masking (NAT) or packet loss. If you want to use xt_geoip, you do not have to recompile the kernel or iptables, you only need to use the current kernel build environment (/ lib / modules / `uname -r` / build) in the form of modules to build xtables-addons. Also do not need to be restarted. As long as you build and install xtables-addons, xt_geoip will be able to use with the iptables.

As for the comparison between xt_geoip and ipset, xtables-addons official website says so: Compared to ipset, xt_geoip better on memory usage, but for matching speed, hash-based ipset possible advantage.

In the remaining part of the tutorial, I will show how to use iptables / xt_geoip to block the flow of network traffic based on national origin or inflows.


Xtables-addons installed in Linux

Here's how to compile and install xtables-addons in a variety of Linux platforms.

To compile xtables-addons, first you need to install some dependent packages.


In Debian, Ubuntu or Linux Mint install dependency

$ Sudoapt-get install iptables-dev xtables-addons-common libtext-csv-xs-perl pkg-config

In CentOS, RHEL or Fedora install dependency

CentOS / RHEL 6 requires prior set EPEL repository (the perl-Text-CSV_XS required).

$ Sudoyum install gcc-c ++ make automake kernel-devel-`uname -r`wget unzip iptables-devel perl-Text-CSV_XS

Compile and install xtables-addons

Download Source Package from xtables-addons official website, and then follow the instructions to compile and install it.

$ Wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.10.tar.xz
$ Tar xf xtables-addons-2.10.tar.xz
$ Cd xtables-addons-2.10
$ ./configure
$ Make
$ Sudomake install
It should be noted that, for the Red Hat system (CentOS, RHEL, Fedora) based, which is enabled by default SELinux, it is necessary to adjust like this SELinux policy. Otherwise, SELinux prevents iptables modules loaded xt_geoip.

$ Sudo chcon -vR --user = system_u /lib/modules/$(uname-r)/extra/*.ko
$ Sudo chcon -vR --type = lib_t /lib64/xtables/*.so

Install GeoIP database xtables-addons

The next step is to install the GeoIP database, which will be used to query xt_geoip correspondence between the IP address and country regions. Conveniently, the two scripts to help xtables-addons source package with, they are used to download from MaxMind GeoIP database and transform it into xt_geoip recognizable binary form file; they can geoip directory in the source package turn up. Follow these instructions to build and install the GeoIP database on your system.

$ Cd geoip
$ ./xt_geoip_dl
$ ./xt_geoip_build GeoIPCountryWhois.csv
$ Sudomkdir-p / usr / share / xt_geoip
$ Sudocp-r {BE, LE} / usr / share / xt_geoip
According to the description MaxMind, GeoIP database they can be 99.8% accuracy rate corresponding to the identified country ip, and the database will be updated every month. To make GeoIP data locally installed are up to date, you may need to set up a cron job to be performed on a monthly basis from time to time and updates your local GeoIP database.


Blocking the flow of network traffic to or from a country

Once xt_geoip and GeoIP database module installed, you can use geoip matching options iptabels command.

$ Sudo iptables -m geoip --src-cc country [, country ...] - dst-cc country [, country ...]
You want those countries to block traffic using two-letter ISO3166 code specifically designated (such as US (United States), CN (China), IN (India), FR (France)).

For example, if you want to block traffic from Yemen (YE) and Zambia (ZM), the following command will be able to achieve this iptabels of.

$ Sudo iptables -I INPUT -m geoip --src-cc YE, ZM -j DROP
If you want to block the flow of China (CN) of the traffic, you can run the following command:

$ Sudo iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
Matching conditions may also be in --src-cc or --dst-cc option preceded to achieve the opposite purpose!:

If you want to block traffic from all non-US on your server, you can run:

$ Sudo iptables -I INPUT -m geoip -! Src-cc US -j DROP


For Firewall-cmd users.

Some distributions such as CentOS / RHEL7 or Fedora has been replaced with firewalld iptables firewall as the default service. In these systems, you can use similar xt_geoip as using firewall-cmd to block traffic. Use firewall-cmd command, three examples above can be rewritten as:

$ Sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0-m geoip --src-cc YE, ZM -j DROP
$ Sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0-m geoip --dst-cc CN -j DROP
$ Sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0-m geoip -! Src-cc US -j DROP

to sum up

In this tutorial, I showed the inflow of national origin or use iptables / xt_geoip according to flow easily blocking network traffic. If you have this need to deploy it to your firewall system can become a practical approach. As a final warning, I should remind you: on your server GeoIP-based traffic filtering to prohibit traffic for specific countries are not always foolproof. GeoIP database itself is not very accurate or complete, and the source or destination of traffic can easily by using a VPN, or any other Tor relay host vulnerable to achieve the purpose of deception. Location-based filters may prevent even this should not prevent legitimate network traffic. Carefully consider this limitation before you decide to deploy it to your production environment.
- Use small network command to check whether PC Security (Linux)
- 10 Regulation of painless SQL Schema (Database)
- Prevent security threats caused Rootkit (Linux)
- Linux Network Programming - raw socket instance: MAC header message analysis (Programming)
- Experience CoreCLR stack unwinding characteristics of initial implementation on Linux / Mac (Linux)
- MySQL can not write the data keyword conflicts (Database)
- Zabbix system email alert Python script (Server)
- Multipath configuration under Linux (Linux)
- ls command: 15 Level Linux interview question (Linux)
- You must ask yourself four questions before deploying Docker (Server)
- How to add two-factor authentication for Linux systems SSH (Linux)
- Oracle 12C RAC optimizer_adaptive_features cause of data into overtime (Database)
- Linux performance monitoring (Linux)
- Compile and install Memcached can not find GCC (Programming)
- Django how to generate content in non-HTML formats (Programming)
- Ubuntu how to install and use Objective-C (Linux)
- Configure the Linux kernel and use iptables to do port mapping (Linux)
- Five useful commands to manage file types and system time in linux (Linux)
- Java method to read and write files summary (Programming)
- Modern Objective-C syntax and new features (Programming)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.