Find the answer to your Linux question:
Results 1 to 5 of 5
OK. I wanted to tell my server to block all traffic but US only traffic. So i followed this guide: lazyadmin.wordpress.com/2010/08/10/country-based-blocking-using-geoip-and-iptables-on-centos/ Now I know, it's the best way to help ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2010
    Posts
    1

    GeoIP filtering w/IPtables CentOS


    OK.

    I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:

    lazyadmin.wordpress.com/2010/08/10/country-based-blocking-using-geoip-and-iptables-on-centos/

    Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions.


    So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so

    Code:
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -I INPUT 1 -s *.*.*.* -p tcp --dport 22 -j ACCEPT
    iptables -I INPUT 2 -s *.*.*.* -p tcp -j ACCEPT
    iptables -I INPUT 2 -s 127.0.0.1 -p tcp -j ACCEPT
    iptables -I OUTPUT 1 -d *.*.*.* -p tcp -j ACCEPT
    iptables -A OUTPUT -p udp -s *.*.*.* --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s *.*.*.* --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -s 8.8.8.8 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p udp -s *.*.*.* --sport 1024:65535 -d 8.8.4.4 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s *.*.*.* --sport 1024:65535 -d 8.8.4.4 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -s 8.8.4.4 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -P INPUT REJECT
    I then went and finished with

    Code:
    iptables -A INPUT -m geoip --src-cc US -j ACCEPT
    Which screamed at me with this error:

    Code:
    iptables: Unknown error 18446744073709551615
    After some debugging and looking around I found "kernel: ipt_geoip: unable to load 'US' into memory" in the /var/log/messages file.

    After seeing that i went digging in the code and figured it was something todo with memory allocation. Any one have a idea on how to solve this?

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Not sure about this geoip thing you are trying to do but your rules you have now are a mess.

    Here is a TUTORIAL for IPTABLES.
    You should first think about cleaning up your rules.
    Also with a patched kernel you might have to go to the patch maker to get things to work.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Sep 2011
    Posts
    2
    I stumbled onto the same problem on two production servers with healthy iptables rules and a test server with just the default rules.
    Having written rules for iptales for almost ten years I believe it is not about the rules themselves. Here is a rule that works:

    iptables -A INPUT -p tcp -m tcp --dport 1234 -m geoip --src-cc CN -j DROP

    No problems it works without problems and blocks all traffic to port 1234 from China. Tested.
    However, if I alter it to

    iptables -A INPUT -p tcp -m tcp --dport 1234 -m geoip --src-cc US -j DROP

    I get
    Code:
    iptables: Unknown error 4294967295
    and in  /var/log/messages
    Sep  2 07:35:22 myserver kernel: ipt_geoip: unable to load 'US' into memory
    Having a look at the GeoIPCountryWhis.csv I find the following:

    Code:
    [root@myserver]# cat GeoIPCountryWhois.csv |grep US |wc -l
    21775
    [root@myserver]# cat GeoIPCountryWhois.csv |grep CN |wc -l
    1683
    So it seems to me that then number of entries in the GeoIP database for US is far too big to be loaded into some reserverd memory space.

    The same happens in 64 bits as well. It may well be that the geoip module has to be altered and recompiled but what to change and where is beyond my knowledge.

    EDIT: Having a look at the code it seems to me that the add_node() function is trying to allocate memory using kmalloc() which I believe is the kernel memory allocation function.
    It is very possible that when that function fails the add_node() returns a NULL which then causes the system to generate the error message...

    If this is the case there is very little to be done if one does not have the option of patching the kernel. Running one's OS in a VPS makes this option useless.
    Last edited by mkvi; 09-02-2011 at 01:14 PM.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2011
    Posts
    2
    Quote Originally Posted by mkvi View Post
    I stumbled onto the same problem on tw

    If this is the case there is very little to be done if one does not have the option of patching the kernel. Running one's OS in a VPS makes this option useless.
    Asking another question. The geoip module breaks in this function which is using the kmalloc() function. My C skills are not good enough to change the the kmalloc() to anything else. Is there anybody that might help. I understood that kmalloc() can only allocate small blocks ( < 128KB) and that we need to use something else for bigger blocks. So the function is as follows:

    Code:
    static struct geoip_info *add_node(struct geoip_info *memcpy)
    {
       struct geoip_info *p =
          (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL);
    
       struct geoip_subnet *s;
    
       if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
          return NULL;
    
       s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
       if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
          return NULL;
    
       spin_lock_bh(&geoip_lock);
    
       p->subnets = s;
       p->ref = 1;
       p->next = head;
       p->prev = NULL;
       if (p->next) p->next->prev = p;
       head = p;
    
       spin_unlock_bh(&geoip_lock);
       return p;
    }
    I presume that the whole thing breaks in the first kmalloc() call.

  6. #5
    Just Joined!
    Join Date
    Mar 2012
    Posts
    1

    iptables: Unknown error 4294967295 when using "US" coutry code

    Did anyone ever figure this out?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •