Posted incentos geoip iptables

Compiling iptables geoip module di centos 5

2Posted incentos, geoip, iptables

Di compile pada system centos 5, kernel 2.6.18 dan iptables 1.3.5

1. Persiapan

Download kernel source yg sekarang dipakai di centos 5 kita

# mkdir ~/geoip
# cd ~/geoip/
# uname -a
Linux host.domain.com 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:02:30 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

# wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-53.1.13.el5.src.rpm

kita cuma mau mengambil linux-2.6.18.tar.bz2 nya saja(patch2 yg lain tidak kita perlukan).

# rpm2cpio kernel-2.6.18-53.1.13.el5.src.rpm | cpio -idv linux-2.6.18.tar.bz2
linux-2.6.18.tar.bz2
172734 blocks
# tar xjf linux-2.6.18.tar.bz2

selanjutnya download iptables source rpm

# wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/iptables-1.3.5-1.2.1.src.rpm

Extract iptables tarball seperti kernel di atas

# rpm2cpio iptables-1.3.5-1.2.1.src.rpm | cpio -idv iptables-1.3.5.tar.bz2
iptables-1.3.5.tar.bz2
435 blocks
# tar xjf iptables-1.3.5.tar.bz2

Download geoip dan patch-o-matic-ng

# wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz
# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20090627.tar.bz2

Extract patch-o-matic-ng:

# tar xjf patch-o-matic-ng-20090627.tar.bz2

Kemudian extract geoip ke dalam subfolder dari patch-o-matic-ng-20090627 directory

# tar xzf geoip.tar.gz -C patch-o-matic-ng-20090627/patchlets/

2. Patching Patch kernel dan iptables source code dengan menggunakan patch-o-matic-ng

# cd patch-o-matic-ng-20090627/
# KERNEL_DIR=../linux-2.6.18/ IPTABLES_DIR=../iptables-1.3.5/ ./runme geoip

Bila semua berjalan lancar patch-o-matic-ng akan menampilkan penjelasan dari geoip patch, dan menanyakan apakah mau di apply. ketik y, patch-o-matic-ng akan menampilkan pesan sukses dan exit.

3. Building dan installing geoip kernel module

# cd ../linux-2.6.18
# cp /boot/config-`uname -r` .config
# cp /boot/symvers-`uname -r`.gz . && gunzip symvers-`uname -r`.gz && mv symvers-`uname -r` Module.symvers
# make oldconfig

Sepanjang configuring prosses make akan menanyakan

geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW) ketik m

# make modules_prepare

kemudian compile module

# make -C $(pwd) M=net/ipv4/netfilter/ modules

jika semua berjalan lancar, ipt_geoip.ko akan berada di directory net/ipv4/netfilter/ tinggal kita copy ke directory modules di kernel

# cp net/ipv4/netfilter/ipt_geoip.ko /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/

Jika tidak ingin meng compile semua module netfilter(hanya module ipt_geoip.ko saja)

# cd net/ipv4/netfilter/
# mkdir ipt_geoip
# cp ipt_geoip.c ipt_geoip/
# cd ipt_geoip

create Makefile yg isinya:

obj-m	+= ipt_geoip.o
KDIR	:= ~/geoip/linux-2.6.18
all:
	make -C $(KDIR) M=$(PWD) modules

clean:

	make -C $(KDIR) M=$(PWD) clean

save Makefile

ketik

# make
# cp ipt_geoip.ko /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/

aktifkan module baru ipt_geoip

# depmod -a 
# modprobe ipt_geoip

4. Building dan installing library iptables

# cd ~/geoip/iptables-1.3.5/ make KERNEL_DIR=../linux-2.6.18/  extensions/libipt_geoip.so

copy file yg sudah di buat ke directory library iptables

# cp extensions/libipt_geoip.so /lib/iptables/

5. Membuat the IP-country mapping

kita akan menggunakan database yg bisa di ambil bebas di http://www.maxmind.com/ download dan extract

# cd ~/geoip/ 
# wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip 
# unzip GeoIPCountryCSV.zip 
# wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz 
# tar xzf csv2bin-20041103.tar.gz 
# cd csv2bin/ 
# make 
# ./csv2bin ../GeoIPCountryWhois.csv 
# mkdir /var/geoip 
# mv geoipdb.* /var/geoip/

6. Menggunakan iptables dengan module geoip

# # Block access ke SSH daemon kecuali dari  Indonesia 
# iptables -A INPUT -p tcp --dport 22 -m geoip ! --src-cc ID -j REJECT 
# # Block pinging hosts dari France, Italy, Spain 
# iptables -A OUTPUT -p icmp -m geoip --dst-cc FR,IT,ES -j REJECT 
# # Help 
# iptables -m geoip --help

sumber : http://www.debian-administration.org/article/Country-based_packet_filtering_with_iptables

Tags:

2 Comments

  1. maddyson
    Reply
    May 21, 2010,

    Hello. Good article!

    After:

    > create Makefile yg isinya:
     
     

    1

     
    bj-m    += ipt_geoip.o

    2
    KDIR    := ~/geoip/linux-2.6.18

    3
    all:

    4
        make -C $(KDIR) M=$(PWD) modules

    5
     

    6
    clean:

    7
     

    8
        make -C $(KDIR) M=$(PWD) clean

    error:
     
    root@worked [/usr/src/redhat/SOURCES/linux-2.6.18/net/ipv4/netfilter/ipt_geoip]# make all
    make: Nothing to be done for `all'.
    In what may be the problem?

  2. admin admin
    Reply
    May 21, 2010,

    sorry, there's a typo here:

    bj-m    += ipt_geoip.o

    should be:

    obj-m    += ipt_geoip.o

Leave a Reply

Your email address will not be published. Required fields are marked *