Line 31: |
Line 31: |
| | | |
| === Description === | | === Description === |
| + | |
| + | {{Warning box|From MAXMIND site : |
| + | "Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. Learn more on our blog." https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ |
| + | |
| + | Quote |
| + | Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are introducing a new end-user license agreement to govern your use of the GeoLite2 databases. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. |
| + | |
| + | Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL. |
| + | End Quote |
| + | |
| + | See the section below [[Xt geoip#installation|Installation]] for steps on how to migrate to the new download mechanism.}} |
| + | |
| <!-- add a description here --> This contribs installs xtables-addons [http://xtables-addons.sourceforge.net/geoip.php (http://xtables-addons.sourceforge.net/geoip.php]) on SME Server 9.x. | | <!-- add a description here --> This contribs installs xtables-addons [http://xtables-addons.sourceforge.net/geoip.php (http://xtables-addons.sourceforge.net/geoip.php]) on SME Server 9.x. |
| | | |
− | Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from. | + | Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from. |
| | | |
| === Installation === | | === Installation === |
| + | Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/ |
| + | |
| + | Important - Note your login details and in particular your AccountID and LicenceKey |
| + | |
| + | Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib. |
| + | |
| + | The following config property keys and values will be used to set the geoip config db for ongoing updates see below |
| + | AccountID ####### |
| + | LicenseKey xxxxxxxxxxxxxxx |
| + | |
| yum --enablerepo=smecontribs install smeserver-xt_geoip | | yum --enablerepo=smecontribs install smeserver-xt_geoip |
| | | |
| you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key. | | you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key. |
| + | |
| + | A configuration db may already be present from another contrib, check for its existence |
| + | |
| + | # config show geoip |
| + | geoip=service |
| + | status=enabled |
| + | |
| + | If it does exists and the LicenseKey and AccountID are NOT present perform the following |
| + | db configuration setprop LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID" |
| + | |
| + | If the configuration db is not present it needs to be created with following keys and properties: |
| + | db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID" |
| + | |
| + | # config show geoip |
| + | geoip=service |
| + | AccountID=xxxxxx |
| + | LicenseKey=xxxxxxxxxxxxxxx |
| + | status=enabled |
| + | |
| then<syntaxhighlight lang="bash"> | | then<syntaxhighlight lang="bash"> |
| + | modprobe xt_geoip |
| signal-event xt_geoip-update | | signal-event xt_geoip-update |
| config set UnsavedChanges no | | config set UnsavedChanges no |
Line 46: |
Line 88: |
| you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run : | | you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run : |
| weak-modules --add-kernel | | weak-modules --add-kernel |
| + | |
| === Configuration === | | === Configuration === |
− | The easiest way should be to go to server manager and use the panel. | + | The easiest way should be to go to server manager and use the panel. There you will be able to : |
| + | * configure a global filter list of country. You can either only accept the defined countries or reject the defined countries. |
| + | * configure a per service (port), exclusion list. Similarly you can either only accept the defined countries or reject the defined countries. |
| + | * configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule. |
| | | |
| + | The server-manager offers also after the first 24 hours statistics. |
| + | |
| + | ==== global masq properties ==== |
| you can list the available configuration with the following command : | | you can list the available configuration with the following command : |
| config show masq | | config show masq |
Line 61: |
Line 110: |
| |- | | |- |
| |BadCountries | | |BadCountries |
− | |A1 | + | | |
| |coma separated strings | | |coma separated strings |
− | |list of 2 letters countries to block | + | |list of 2 letters countries to block for the global filter. If empty the global filter is deactivated. |
| |- | | |- |
| |GeoIP | | |GeoIP |
| |enabled | | |enabled |
| |enabled,disabled | | |enabled,disabled |
| + | |enable or disable all the geoip filtering services. (ie per service AND global rules) |
| + | |- |
| + | |XtServices |
| + | |imaps,pop3s,sshd,ftp,ssmtpd |
| + | |coma separated strings |
| + | |list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below). |
| + | |- |
| + | |XTGeoipRev |
| + | |disabled |
| + | |enabled,disabled |
| + | |if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
| + | |- |
| + | |XTGeoipOther |
| + | |disabled |
| + | |enabled,disabled |
| + | |if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
| + | |- |
| + | |XTlogmail |
| + | |disabled |
| + | |enabled,disabled |
| + | |if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled. |
| |} | | |} |
| + | |
| + | '''To override the list of services''' (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services. |
| | | |
| NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here. | | NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here. |
| + | |
| + | NOTE2: Only Xtlogmail is not configurable using the Server-Manager. |
| + | |
| + | ==== per service properties ==== |
| + | you can list the available configuration with the following command : |
| + | config show servicename |
| + | |
| + | For the different services you will also encounter those properties |
| + | {| class="wikitable" |
| + | !property |
| + | !default |
| + | !values |
| + | ! |
| + | |- |
| + | |BadCountries |
| + | |A1 |
| + | |coma separated strings |
| + | |list of 2 letters countries to block for this specific service. If empty the global filter is deactivated. |
| + | |- |
| + | |XTGeoipRev |
| + | |disabled |
| + | |enabled,disabled |
| + | |if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
| + | |- |
| + | |XTGeoipOther |
| + | |disabled |
| + | |enabled,disabled |
| + | |if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
| + | |} |
| + | |
| + | NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here. |
| | | |
| === Abbreviated Country Code List === | | === Abbreviated Country Code List === |
| + | (This list is available with a click on the first panel) |
| {{#lsth:GeoIP| Abbreviated Country Code List }} | | {{#lsth:GeoIP| Abbreviated Country Code List }} |
| | | |