Difference between revisions of "Xt geoip"
Unnilennium (talk | contribs) |
m (→Installation) |
||
(21 intermediate revisions by 3 users not shown) | |||
Line 30: | Line 30: | ||
{{#smeversion: xtables-addons-kmod }} | {{#smeversion: xtables-addons-kmod }} | ||
− | {{ | + | === Description === |
+ | |||
+ | {{Warning box|From MAXMIND site : | ||
+ | "Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. Learn more on our blog." https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ | ||
+ | |||
+ | Quote | ||
+ | Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are introducing a new end-user license agreement to govern your use of the GeoLite2 databases. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. | ||
+ | |||
+ | Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL. | ||
+ | End Quote | ||
− | + | See the section below [[Xt geoip#installation|Installation]] for steps on how to migrate to the new download mechanism.}} | |
− | + | <!-- add a description here --> This contribs installs xtables-addons [http://xtables-addons.sourceforge.net/geoip.php (http://xtables-addons.sourceforge.net/geoip.php]) on SME Server 9.x. | |
− | <!-- add a description here --> | ||
+ | Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from. | ||
=== Installation === | === Installation === | ||
− | yum --enablerepo=smecontribs | + | Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/ |
+ | |||
+ | Important - Note your login details and in particular your AccountID and LicenceKey | ||
+ | |||
+ | Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib. | ||
+ | |||
+ | The following config property keys and values will be used to set the geoip config db for ongoing updates see below | ||
+ | AccountID ####### | ||
+ | LicenseKey xxxxxxxxxxxxxxx | ||
+ | |||
+ | yum --enablerepo=smecontribs install smeserver-xt_geoip | ||
+ | |||
+ | you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key. | ||
+ | A configuration db may already be present from another contrib, check for its existence | ||
+ | |||
+ | # config show geoip | ||
+ | geoip=service | ||
+ | status=enabled | ||
+ | |||
+ | If it does exists and the LicenseKey and AccountID are NOT present perform the following | ||
+ | db configuration setprop geoip LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID" | ||
+ | |||
+ | If the configuration db is not present it needs to be created with following keys and properties: | ||
+ | db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID" | ||
+ | |||
+ | # config show geoip | ||
+ | geoip=service | ||
+ | AccountID=xxxxxx | ||
+ | LicenseKey=xxxxxxxxxxxxxxx | ||
+ | status=enabled | ||
then<syntaxhighlight lang="bash"> | then<syntaxhighlight lang="bash"> | ||
+ | modprobe xt_geoip | ||
signal-event xt_geoip-update | signal-event xt_geoip-update | ||
config set UnsavedChanges no | config set UnsavedChanges no | ||
Line 49: | Line 88: | ||
you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run : | you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run : | ||
weak-modules --add-kernel | weak-modules --add-kernel | ||
+ | |||
=== Configuration === | === Configuration === | ||
− | The easiest way should be to go to server manager and use the panel. | + | The easiest way should be to go to server manager and use the panel. There you will be able to : |
+ | * configure a global filter list of country. You can either only accept the defined countries or reject the defined countries. | ||
+ | * configure a per service (port), exclusion list. Similarly you can either only accept the defined countries or reject the defined countries. | ||
+ | * configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule. | ||
+ | |||
+ | The server-manager offers also after the first 24 hours statistics. | ||
+ | ==== global masq properties ==== | ||
you can list the available configuration with the following command : | you can list the available configuration with the following command : | ||
config show masq | config show masq | ||
Line 64: | Line 110: | ||
|- | |- | ||
|BadCountries | |BadCountries | ||
− | | | + | | |
|coma separated strings | |coma separated strings | ||
− | |list of 2 letters countries to block | + | |list of 2 letters countries to block for the global filter. If empty the global filter is deactivated, max of 50 countries. |
|- | |- | ||
|GeoIP | |GeoIP | ||
|enabled | |enabled | ||
|enabled,disabled | |enabled,disabled | ||
+ | |enable or disable all the geoip filtering services. (ie per service AND global rules) | ||
+ | |- | ||
+ | |XtServices | ||
+ | |imaps,pop3s,sshd,ftp,ssmtpd | ||
+ | |coma separated strings | ||
+ | |list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below). | ||
+ | |- | ||
+ | |XTGeoipRev | ||
+ | |disabled | ||
+ | |enabled,disabled | ||
+ | |if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. | ||
+ | |- | ||
+ | |XTGeoipOther | ||
+ | |disabled | ||
+ | |enabled,disabled | ||
+ | |if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. | ||
+ | |- | ||
+ | |XTlogmail | ||
+ | |disabled | ||
+ | |enabled,disabled | ||
+ | |if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled. | ||
|} | |} | ||
+ | |||
+ | '''To override the list of services''' (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services. | ||
NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here. | NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here. | ||
+ | |||
+ | NOTE2: Only Xtlogmail is not configurable using the Server-Manager. | ||
+ | |||
+ | ==== per service properties ==== | ||
+ | you can list the available configuration with the following command : | ||
+ | config show servicename | ||
+ | |||
+ | For the different services you will also encounter those properties | ||
+ | {| class="wikitable" | ||
+ | !property | ||
+ | !default | ||
+ | !values | ||
+ | ! | ||
+ | |- | ||
+ | |BadCountries | ||
+ | |A1 | ||
+ | |coma separated strings | ||
+ | |list of 2 letters countries to block for this specific service. If empty the global filter is deactivated, max of 50 countries | ||
+ | |- | ||
+ | |XTGeoipRev | ||
+ | |disabled | ||
+ | |enabled,disabled | ||
+ | |if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. | ||
+ | |- | ||
+ | |XTGeoipOther | ||
+ | |disabled | ||
+ | |enabled,disabled | ||
+ | |if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. | ||
+ | |} | ||
+ | |||
+ | NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here. | ||
=== Abbreviated Country Code List === | === Abbreviated Country Code List === | ||
− | {{# | + | (This list is available with a click on the first panel) |
+ | {{#lsth:GeoIP| Abbreviated Country Code List }} | ||
=== Uninstall === | === Uninstall === | ||
Line 90: | Line 191: | ||
Only released version in smecontrib are listed here. | Only released version in smecontrib are listed here. | ||
− | {{#smechangelog: | + | {{#smechangelog: smeserver-xt_geoip }} |
Latest revision as of 09:00, 26 November 2021
xt geoip logo | |
Maintainer | mab974 |
---|---|
Url | https://wiki.contribs.org |
Category | |
Tags | ssh, geoip, iptables, firewall, geoip2 |
Maintainer
Version
Description
This contribs installs xtables-addons (http://xtables-addons.sourceforge.net/geoip.php) on SME Server 9.x.
Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from.
Installation
Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/
Important - Note your login details and in particular your AccountID and LicenceKey
Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib.
The following config property keys and values will be used to set the geoip config db for ongoing updates see below
AccountID ####### LicenseKey xxxxxxxxxxxxxxx
yum --enablerepo=smecontribs install smeserver-xt_geoip
you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key.
A configuration db may already be present from another contrib, check for its existence
# config show geoip geoip=service status=enabled
If it does exists and the LicenseKey and AccountID are NOT present perform the following
db configuration setprop geoip LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
If the configuration db is not present it needs to be created with following keys and properties:
db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
# config show geoip geoip=service AccountID=xxxxxx LicenseKey=xxxxxxxxxxxxxxx status=enabled
then
modprobe xt_geoip
signal-event xt_geoip-update
config set UnsavedChanges no
you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run :
weak-modules --add-kernel
Configuration
The easiest way should be to go to server manager and use the panel. There you will be able to :
- configure a global filter list of country. You can either only accept the defined countries or reject the defined countries.
- configure a per service (port), exclusion list. Similarly you can either only accept the defined countries or reject the defined countries.
- configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule.
The server-manager offers also after the first 24 hours statistics.
global masq properties
you can list the available configuration with the following command :
config show masq
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
property | default | values | |
---|---|---|---|
BadCountries | coma separated strings | list of 2 letters countries to block for the global filter. If empty the global filter is deactivated, max of 50 countries. | |
GeoIP | enabled | enabled,disabled | enable or disable all the geoip filtering services. (ie per service AND global rules) |
XtServices | imaps,pop3s,sshd,ftp,ssmtpd | coma separated strings | list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below). |
XTGeoipRev | disabled | enabled,disabled | if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
XTGeoipOther | disabled | enabled,disabled | if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
XTlogmail | disabled | enabled,disabled | if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled. |
To override the list of services (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services.
NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here.
NOTE2: Only Xtlogmail is not configurable using the Server-Manager.
per service properties
you can list the available configuration with the following command :
config show servicename
For the different services you will also encounter those properties
property | default | values | |
---|---|---|---|
BadCountries | A1 | coma separated strings | list of 2 letters countries to block for this specific service. If empty the global filter is deactivated, max of 50 countries |
XTGeoipRev | disabled | enabled,disabled | if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
XTGeoipOther | disabled | enabled,disabled | if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here.
Abbreviated Country Code List
(This list is available with a click on the first panel)
A1 Anonymous Proxy A2 Satellite Provider AC Ascension Island AD Andorra AE United Arab Emirates AERO members of the air-transport industry AF Afghanistan AG Antigua and Barbuda AI Anguilla AL Albania AM Armenia AN Netherlands Antilles (being phased out) AO Angola AQ Antarctica AP Asia/Pacific AR Argentina AS American Samoa ASIA Restricted to the Pan-Asia and Asia Pacific community AT Austria AU Australia AW Aruba AX Aland Islands AZ Azerbaijan BA Bosnia and Herzegovina BB Barbados BD Bangladesh BE Belgium BF Burkina Faso BG Bulgaria BH Bahrain BI Burundi BIZ Restricted for Business BJ Benin BL Saint Barthelemy BM Bermuda BN Brunei Darussalam BO Bolivia BQ Bonaire, Sint Eustatius and Saba BR Brazil BS Bahamas BT Bhutan BV Bouvet Island BW Botswana BY Belarus BZ Belize CA Canada CC Cocos (Keeling) Islands CD Congo, The Democratic Republic of the CF Central African Republic CG Congo CH Switzerland CI Cote d'Ivoire CK Cook Islands CL Chile CM Cameroon CN China CO Colombia COM Generic top-level domain COOP cooperative associations CR Costa Rica CU Cuba CV Cape Verde CW Curaçao CX Christmas Island CY Cyprus CZ Czech Republic DE Germany DJ Djibouti DK Denmark DM Dominica DO Dominican Republic DZ Algeria EC Ecuador EDU Educational Institutions EE Estonia EG Egypt EH Western Sahara ER Eritrea ES Spain ET Ethiopia EU European Union FI Finland FJ Fiji FK Falkland Islands (Malvinas) FM Micronesia, Federated States of FO Faroe Islands FR France GA Gabon GB United Kingdom GD Grenada GE Georgia GF French Guiana GG Guernsey GH Ghana GI Gibraltar GL Greenland GM Gambia GN Guinea GOV United States Government GP Guadeloupe GQ Equatorial Guinea GR Greece GS South Georgia and the South Sandwich Islands GT Guatemala GU Guam GW Guinea-Bissau GY Guyana HK Hong Kong HM Heard Island and McDonald Islands HN Honduras HR Croatia HT Haiti HU Hungary ID Indonesia IE Ireland IL Israel IM Isle of Man IN India INFO Generic top-level domain IO British Indian Ocean Territory IQ Iraq IR Iran, Islamic Republic of IS Iceland IT Italy JE Jersey JM Jamaica JO Jordan JOBS Reserved to serve needs of the international human resource management community JP Japan KE Kenya KG Kyrgyzstan KH Cambodia KI Kiribati KM Comoros KN Saint Kitts and Nevis KP Korea, Democratic People's Republic of KR Korea, Republic of KW Kuwait KY Cayman Islands KZ Kazakhstan LA Lao People's Democratic Republic LB Lebanon LC Saint Lucia LI Liechtenstein LK Sri Lanka LR Liberia LS Lesotho LT Lithuania LU Luxembourg LV Latvia LY Libyan Arab Jamahiriya MA Morocco MC Monaco MD Moldova, Republic of ME Montenegro MF Saint Martin (French part) MG Madagascar MH Marshall Islands MIL United States Military MK Macedonia, The Former Yugoslav Republic of ML Mali MM Myanmar MN Mongolia MO Macao MOBI consumers and providers of mobile products and services MP Northern Mariana Islands MQ Martinique MR Mauritania MS Montserrat MT Malta MU Mauritius MUSEUM museums MV Maldives MW Malawi MX Mexico MY Malaysia MZ Mozambique NA Namibia NAME individuals NC New Caledonia NE Niger NET Generic top-level domain NF Norfolk Island NG Nigeria NI Nicaragua NL Netherlands NO Norway NP Nepal NR Nauru NU Niue NZ New Zealand OM Oman ORG Generic top-level domain PA Panama PE Peru PF French Polynesia PG Papua New Guinea PH Philippines PK Pakistan PL Poland PM Saint Pierre and Miquelon PN Pitcairn PR Puerto Rico PRO Restricted to credentialed professionals and related entities PS Palestinian Territory, Occupied PT Portugal PW Palau PY Paraguay QA Qatar RE Reunion RO Romania RS Serbia RU Russian Federation RW Rwanda SA Saudi Arabia SB Solomon Islands SC Seychelles SD Sudan SE Sweden SG Singapore SH Saint Helena SI Slovenia SJ Svalbard and Jan Mayen SK Slovakia SL Sierra Leone SM San Marino SN Senegal SO Somalia SR Suriname SS South Sudan ST Sao Tome and Principe SU Soviet Union (being phased out) SV El Salvador SX Saint Maarten (Dutch part) SY Syrian Arab Republic SZ Swaziland TC Turks and Caicos Islands TD Chad TEL businesses and individuals to publish their contact data TF French Southern Territories TG Togo TH Thailand TJ Tajikistan TK Tokelau TL Timor-Leste TM Turkmenistan TN Tunisia TO Tonga TP Portuguese Timor (being phased out) TR Turkey TRAVEL entities whose primary area of activity is in the travel industry TT Trinidad and Tobago TV Tuvalu TW Taiwan, Province of China TZ Tanzania, United Republic of UA Ukraine UG Uganda UK United Kingdom UM United States Minor Outlying Islands US United States UY Uruguay UZ Uzbekistan VA Holy See (Vatican City State) VC Saint Vincent and the Grenadines VE Venezuela, Bolivarian Republic of VG Virgin Islands, British VI Virgin Islands, US VN Viet Nam VU Vanuatu WF Wallis and Futuna WS Samoa XXX the adult entertainment community YE Yemen YT Mayotte ZA South Africa ZM Zambia ZW Zimbabwe
Country Code Info Source:
http://en.wikipedia.org/wiki/ISO_3166-1 http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
Uninstall
yum remove smeserver-xt_geoip xtables-addons xtables-addons-kmod
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-xt_geoip component or use this link
Below is an overview of the current issues for this contrib:
ID | Product | Version | Status | Summary (4 tasks) ⇒ |
---|---|---|---|---|
12445 | SME Contribs | 10.0 | CONFIRMED | NFR do not block remote access authorized |
12438 | SME Contribs | 10.0 | CONFIRMED | wrong path to event /etc/e-smith/events/remote-access-update/ |
12418 | SME Contribs | 10.0 | CONFIRMED | smeserver-xt_geoip NFR Add UDP support |
10787 | SME Contribs | 9.2 | CONFIRMED | avoid masq restart and events optimisation |
Changelog
Only released version in smecontrib are listed here.
- Edit SM2 Menu entry to conform to new arrangements [SME: 12493]
- fix module not loaded after update [SME: 10793]
2023/01/11 Michel Begue 1.3.1-18.sme
- add a message if module xt_geoip is missing or not loaded [SME: 12291]
- apply locale 2022-11-11 patch
- add fail2ban stats [SME: 12098]