Difference between revisions of "Xt geoip"

From SME Server
Jump to navigationJump to search
(14 intermediate revisions by 3 users not shown)
Line 31: Line 31:
  
 
=== Description ===
 
=== Description ===
 +
 +
{{Warning box|From MAXMIND site :
 +
"Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. Learn more on our blog." https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
 +
 +
Quote
 +
Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are introducing a new end-user license agreement to govern your use of the GeoLite2 databases. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
 +
 +
Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL.
 +
End Quote
 +
 +
See the section below [[Xt geoip#installation|Installation]] for steps on how to migrate to the new download mechanism.}}
 +
 
<!-- add a description here --> This contribs installs xtables-addons  [http://xtables-addons.sourceforge.net/geoip.php (http://xtables-addons.sourceforge.net/geoip.php]) on SME Server 9.x.  
 
<!-- add a description here --> This contribs installs xtables-addons  [http://xtables-addons.sourceforge.net/geoip.php (http://xtables-addons.sourceforge.net/geoip.php]) on SME Server 9.x.  
  
  Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from.  
+
  Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from.
  
 
=== Installation ===
 
=== Installation ===
 +
Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/
 +
 +
Important - Note your login details and in particular your AccountID and LicenceKey
 +
 +
Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib.
 +
 +
The following config property keys and values will be used to set the geoip config db for ongoing updates see below
 +
AccountID #######
 +
LicenseKey xxxxxxxxxxxxxxx
 +
 
  yum --enablerepo=smecontribs install smeserver-xt_geoip
 
  yum --enablerepo=smecontribs install smeserver-xt_geoip
  
 
you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key.  
 
you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key.  
 +
 +
A configuration db may already be present from another contrib, check for its existence
 +
 +
# config show geoip
 +
geoip=service
 +
status=enabled
 +
 +
If it does exists and the LicenseKey and AccountID are NOT present perform the following
 +
db configuration setprop LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
 +
 +
If the configuration db is not present it needs to be created with following keys and properties:
 +
db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
 +
 +
# config show geoip
 +
geoip=service
 +
    AccountID=xxxxxx
 +
    LicenseKey=xxxxxxxxxxxxxxx
 +
    status=enabled
 +
 
then<syntaxhighlight lang="bash">
 
then<syntaxhighlight lang="bash">
 +
modprobe xt_geoip
 
signal-event xt_geoip-update
 
signal-event xt_geoip-update
 
config set UnsavedChanges no
 
config set UnsavedChanges no
Line 46: Line 88:
 
you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working),  if so just run :
 
you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working),  if so just run :
 
  weak-modules  --add-kernel
 
  weak-modules  --add-kernel
 +
 
=== Configuration ===
 
=== Configuration ===
The easiest way should be to go to server manager and use the panel.
+
The easiest way should be to go to server manager and use the panel. There you will be able to :
 +
* configure a global filter list of country. You can either only accept the defined countries or reject the defined countries.
 +
* configure a per service (port), exclusion list. Similarly you can  either only accept the defined countries or reject the defined countries.
 +
* configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule.
  
 +
The server-manager offers also after the first 24 hours statistics.
 +
 +
==== global masq properties ====
 
you can list the available configuration with the following command :
 
you can list the available configuration with the following command :
 
  config show masq
 
  config show masq
Line 61: Line 110:
 
|-
 
|-
 
|BadCountries
 
|BadCountries
|A1
+
|
 
|coma separated strings
 
|coma separated strings
|list of 2 letters countries to block
+
|list of 2 letters countries to block for the global filter. If empty the global filter is deactivated.
 
|-
 
|-
 
|GeoIP
 
|GeoIP
 
|enabled
 
|enabled
 
|enabled,disabled
 
|enabled,disabled
 +
|enable or disable all the geoip filtering services. (ie per service AND global rules)
 +
|-
 +
|XtServices
 +
|imaps,pop3s,sshd,ftp,ssmtpd
 +
|coma separated strings
 +
|list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below).
 +
|-
 +
|XTGeoipRev
 +
|disabled
 +
|enabled,disabled
 +
|if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled.
 +
|-
 +
|XTGeoipOther
 +
|disabled
 +
|enabled,disabled
 +
|if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled.
 +
|-
 +
|XTlogmail
 +
|disabled
 +
|enabled,disabled
 +
|if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled.
 
|}
 
|}
 +
 +
'''To override the list of services''' (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services.
  
 
NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here.
 
NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here.
 +
 +
NOTE2: Only Xtlogmail is not configurable using the Server-Manager.
 +
 +
==== per service properties ====
 +
you can list the available configuration with the following command :
 +
config show servicename
 +
 +
For the different services you will also encounter those properties
 +
{| class="wikitable"
 +
!property
 +
!default
 +
!values
 +
!
 +
|-
 +
|BadCountries
 +
|A1
 +
|coma separated strings
 +
|list of 2 letters countries to block for this specific service. If empty the global filter is deactivated.
 +
|-
 +
|XTGeoipRev
 +
|disabled
 +
|enabled,disabled
 +
|if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled.
 +
|-
 +
|XTGeoipOther
 +
|disabled
 +
|enabled,disabled
 +
|if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled.
 +
|}
 +
 +
NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here.
  
 
=== Abbreviated Country Code List ===
 
=== Abbreviated Country Code List ===
 +
(This list is available with a click on the first panel)
 
{{#lsth:GeoIP| Abbreviated Country Code List }}
 
{{#lsth:GeoIP| Abbreviated Country Code List }}
  

Revision as of 07:49, 26 January 2020




xt geoip
NeedImage.svg
xt geoip logo
Maintainermab974
Urlhttps://wiki.contribs.org
Category

security

Tags sshgeoipiptablesfirewallgeoip2


Maintainer

Michel Begue


Version

Devel 10:
Contrib 10:
Contrib 9:
smeserver-xt_geoip
The latest version of smeserver-xt_geoip is available in the SME repository, click on the version number(s) for more information.


Contrib 10:
Contrib 9:
xtables-addons
The latest version of xtables-addons is available in the SME repository, click on the version number(s) for more information.


Contrib 10:
Contrib 9:
xtables-addons-kmod
The latest version of xtables-addons-kmod is available in the SME repository, click on the version number(s) for more information.


Description

Warning.png Warning:
From MAXMIND site :

"Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. Learn more on our blog." https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

Quote Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are introducing a new end-user license agreement to govern your use of the GeoLite2 databases. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.

Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL. End Quote

See the section below Installation for steps on how to migrate to the new download mechanism.


This contribs installs xtables-addons  (http://xtables-addons.sourceforge.net/geoip.php) on SME Server 9.x. 
Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from.

Installation

Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/

Important - Note your login details and in particular your AccountID and LicenceKey

Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib.

The following config property keys and values will be used to set the geoip config db for ongoing updates see below

AccountID #######
LicenseKey xxxxxxxxxxxxxxx 
yum --enablerepo=smecontribs install smeserver-xt_geoip

you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key.

A configuration db may already be present from another contrib, check for its existence

# config show geoip
geoip=service
status=enabled

If it does exists and the LicenseKey and AccountID are NOT present perform the following

db configuration setprop LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"

If the configuration db is not present it needs to be created with following keys and properties:

db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
# config show geoip
geoip=service
   AccountID=xxxxxx
   LicenseKey=xxxxxxxxxxxxxxx
   status=enabled

then

modprobe xt_geoip
signal-event xt_geoip-update
config set UnsavedChanges no

you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run :

weak-modules  --add-kernel

Configuration

The easiest way should be to go to server manager and use the panel. There you will be able to :

  • configure a global filter list of country. You can either only accept the defined countries or reject the defined countries.
  • configure a per service (port), exclusion list. Similarly you can either only accept the defined countries or reject the defined countries.
  • configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule.

The server-manager offers also after the first 24 hours statistics.

global masq properties

you can list the available configuration with the following command :

config show masq


Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

property default values
BadCountries coma separated strings list of 2 letters countries to block for the global filter. If empty the global filter is deactivated.
GeoIP enabled enabled,disabled enable or disable all the geoip filtering services. (ie per service AND global rules)
XtServices imaps,pop3s,sshd,ftp,ssmtpd coma separated strings list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below).
XTGeoipRev disabled enabled,disabled if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled.
XTGeoipOther disabled enabled,disabled if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled.
XTlogmail disabled enabled,disabled if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled.

To override the list of services (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services.

NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here.

NOTE2: Only Xtlogmail is not configurable using the Server-Manager.

per service properties

you can list the available configuration with the following command :

config show servicename

For the different services you will also encounter those properties

property default values
BadCountries A1 coma separated strings list of 2 letters countries to block for this specific service. If empty the global filter is deactivated.
XTGeoipRev disabled enabled,disabled if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled.
XTGeoipOther disabled enabled,disabled if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled.

NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here.

Abbreviated Country Code List

(This list is available with a click on the first panel)

A1      Anonymous Proxy
A2      Satellite Provider
AC      Ascension Island
AD      Andorra
AE      United Arab Emirates
AERO    members of the air-transport industry
AF      Afghanistan
AG      Antigua and Barbuda
AI      Anguilla
AL      Albania
AM      Armenia
AN      Netherlands Antilles (being phased out)
AO      Angola
AQ      Antarctica
AP      Asia/Pacific
AR      Argentina
AS      American Samoa
ASIA    Restricted to the Pan-Asia and Asia Pacific community
AT      Austria
AU      Australia
AW      Aruba
AX      Aland Islands
AZ      Azerbaijan
BA      Bosnia and Herzegovina
BB      Barbados
BD      Bangladesh
BE      Belgium
BF      Burkina Faso
BG      Bulgaria
BH      Bahrain
BI      Burundi
BIZ     Restricted for Business
BJ      Benin
BL      Saint Barthelemy
BM      Bermuda
BN      Brunei Darussalam
BO      Bolivia
BQ      Bonaire, Sint Eustatius and Saba
BR      Brazil
BS      Bahamas
BT      Bhutan
BV      Bouvet Island
BW      Botswana
BY      Belarus
BZ      Belize
CA      Canada
CC      Cocos (Keeling) Islands
CD      Congo, The Democratic Republic of the
CF      Central African Republic
CG      Congo
CH      Switzerland
CI      Cote d'Ivoire
CK      Cook Islands
CL      Chile
CM      Cameroon
CN      China
CO      Colombia
COM     Generic top-level domain
COOP    cooperative associations
CR      Costa Rica
CU      Cuba
CV      Cape Verde
CW      Curaçao
CX      Christmas Island
CY      Cyprus
CZ      Czech Republic
DE      Germany
DJ      Djibouti
DK      Denmark
DM      Dominica
DO      Dominican Republic
DZ      Algeria
EC      Ecuador
EDU     Educational Institutions
EE      Estonia
EG      Egypt
EH      Western Sahara
ER      Eritrea
ES      Spain
ET      Ethiopia
EU      European Union
FI      Finland
FJ      Fiji
FK      Falkland Islands (Malvinas)
FM      Micronesia, Federated States of
FO      Faroe Islands
FR      France
GA      Gabon
GB      United Kingdom
GD      Grenada
GE      Georgia
GF      French Guiana
GG      Guernsey
GH      Ghana
GI      Gibraltar
GL      Greenland
GM      Gambia
GN      Guinea
GOV     United States Government
GP      Guadeloupe
GQ      Equatorial Guinea
GR      Greece
GS      South Georgia and the South Sandwich Islands
GT      Guatemala
GU      Guam
GW      Guinea-Bissau
GY      Guyana
HK      Hong Kong
HM      Heard Island and McDonald Islands
HN      Honduras
HR      Croatia
HT      Haiti
HU      Hungary
ID      Indonesia
IE      Ireland
IL      Israel
IM      Isle of Man
IN      India
INFO    Generic top-level domain
IO      British Indian Ocean Territory
IQ      Iraq
IR      Iran, Islamic Republic of
IS      Iceland
IT      Italy
JE      Jersey
JM      Jamaica
JO      Jordan
JOBS    Reserved to serve needs of the international human resource management community
JP      Japan
KE      Kenya
KG      Kyrgyzstan
KH      Cambodia
KI      Kiribati
KM      Comoros
KN      Saint Kitts and Nevis
KP      Korea, Democratic People's Republic of
KR      Korea, Republic of
KW      Kuwait
KY      Cayman Islands
KZ      Kazakhstan
LA      Lao People's Democratic Republic
LB      Lebanon
LC      Saint Lucia
LI      Liechtenstein
LK      Sri Lanka
LR      Liberia
LS      Lesotho
LT      Lithuania
LU      Luxembourg
LV      Latvia
LY      Libyan Arab Jamahiriya
MA      Morocco
MC      Monaco
MD      Moldova, Republic of
ME      Montenegro
MF      Saint Martin (French part)
MG      Madagascar
MH      Marshall Islands
MIL     United States Military
MK      Macedonia, The Former Yugoslav Republic of
ML      Mali
MM      Myanmar
MN      Mongolia
MO      Macao
MOBI    consumers and providers of mobile products and services
MP      Northern Mariana Islands
MQ      Martinique
MR      Mauritania
MS      Montserrat
MT      Malta
MU      Mauritius
MUSEUM  museums
MV      Maldives
MW      Malawi
MX      Mexico
MY      Malaysia
MZ      Mozambique
NA      Namibia
NAME    individuals
NC      New Caledonia
NE      Niger
NET     Generic top-level domain
NF      Norfolk Island
NG      Nigeria
NI      Nicaragua
NL      Netherlands
NO      Norway
NP      Nepal
NR      Nauru
NU      Niue
NZ      New Zealand
OM      Oman
ORG     Generic top-level domain
PA      Panama
PE      Peru
PF      French Polynesia
PG      Papua New Guinea
PH      Philippines
PK      Pakistan
PL      Poland
PM      Saint Pierre and Miquelon
PN      Pitcairn
PR      Puerto Rico
PRO     Restricted to credentialed professionals and related entities
PS      Palestinian Territory, Occupied
PT      Portugal
PW      Palau
PY      Paraguay
QA      Qatar
RE      Reunion
RO      Romania
RS      Serbia
RU      Russian Federation
RW      Rwanda
SA      Saudi Arabia
SB      Solomon Islands
SC      Seychelles
SD      Sudan
SE      Sweden
SG      Singapore
SH      Saint Helena
SI      Slovenia
SJ      Svalbard and Jan Mayen
SK      Slovakia
SL      Sierra Leone
SM      San Marino
SN      Senegal
SO      Somalia
SR      Suriname
SS      South Sudan
ST      Sao Tome and Principe
SU      Soviet Union (being phased out)
SV      El Salvador
SX      Saint Maarten (Dutch part)
SY      Syrian Arab Republic
SZ      Swaziland
TC      Turks and Caicos Islands
TD      Chad
TEL     businesses and individuals to publish their contact data
TF      French Southern Territories
TG      Togo
TH      Thailand
TJ      Tajikistan
TK      Tokelau
TL      Timor-Leste
TM      Turkmenistan
TN      Tunisia
TO      Tonga
TP      Portuguese Timor (being phased out)
TR      Turkey
TRAVEL  entities whose primary area of activity is in the travel industry
TT      Trinidad and Tobago
TV      Tuvalu
TW      Taiwan, Province of China
TZ      Tanzania, United Republic of
UA      Ukraine
UG      Uganda
UK      United Kingdom
UM      United States Minor Outlying Islands
US      United States
UY      Uruguay
UZ      Uzbekistan
VA      Holy See (Vatican City State)
VC      Saint Vincent and the Grenadines
VE      Venezuela, Bolivarian Republic of
VG      Virgin Islands, British
VI      Virgin Islands, US
VN      Viet Nam
VU      Vanuatu
WF      Wallis and Futuna
WS      Samoa
XXX     the adult entertainment community
YE      Yemen
YT      Mayotte
ZA      South Africa
ZM      Zambia
ZW      Zimbabwe

Country Code Info Source:

http://en.wikipedia.org/wiki/ISO_3166-1
http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements


Uninstall

yum remove smeserver-xt_geoip   xtables-addons xtables-addons-kmod

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-xt_geoip component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (4 tasks)
12445SME Contribs10.0CONFIRMEDNFR do not block remote access authorized
12438SME Contribs10.0CONFIRMEDwrong path to event /etc/e-smith/events/remote-access-update/
12418SME Contribs10.0CONFIRMEDsmeserver-xt_geoip NFR Add UDP support
10787SME Contribs9.2CONFIRMEDavoid masq restart and events optimisation

Changelog

Only released version in smecontrib are listed here.

smeserver-xt_geoip Changelog: SME 10 (smecontribs)
2024/03/02 Brian Read 1.3.1-20.sme
- Edit SM2 Menu entry to conform to new arrangements [SME: 12493]
2023/02/15 Michel Begue 1.3.1-19.sme
- fix module not loaded after update [SME: 10793]

2023/01/11 Michel Begue 1.3.1-18.sme
- add a message if module xt_geoip is missing or not loaded [SME: 12291]

- add a message if chain XTGeoIP is missing (iptables) [SME: 12291]
2022/11/11 Jean-Philippe Pialasse 1.3.1-17.sme
- apply locale 2022-11-11 patch
2022/07/13 Michel Begue 1.3.1-16.sme
- add fail2ban stats [SME: 12098]