GeoIP filtering w/IPtables CentOS

[pyromanci]

OK.

I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:

lazyadmin.wordpress.com/2010/08/10/country-based-blocking-using-geoip-and-iptables-on-centos/

Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions.


So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so

Code:

iptables -F INPUT
iptables -F OUTPUT
iptables -I INPUT 1 -s *.*.*.* -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -s *.*.*.* -p tcp -j ACCEPT
iptables -I INPUT 2 -s 127.0.0.1 -p tcp -j ACCEPT
iptables -I OUTPUT 1 -d *.*.*.* -p tcp -j ACCEPT
iptables -A OUTPUT -p udp -s *.*.*.* --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s *.*.*.* --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 8.8.8.8 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s *.*.*.* --sport 1024:65535 -d 8.8.4.4 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s *.*.*.* --sport 1024:65535 -d 8.8.4.4 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 8.8.4.4 --sport 53 -d *.*.*.* --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -P INPUT REJECT

I then went and finished with

Code:

iptables -A INPUT -m geoip --src-cc US -j ACCEPT

Which screamed at me with this error:

Code:

iptables: Unknown error 18446744073709551615

After some debugging and looking around I found "kernel: ipt_geoip: unable to load 'US' into memory" in the /var/log/messages file.

After seeing that i went digging in the code and figured it was something todo with memory allocation. Any one have a idea on how to solve this?

[Lazydog]

Not sure about this geoip thing you are trying to do but your rules you have now are a mess.

Here is a TUTORIAL for IPTABLES.
You should first think about cleaning up your rules.
Also with a patched kernel you might have to go to the patch maker to get things to work.

[mkvi]

I stumbled onto the same problem on two production servers with healthy iptables rules and a test server with just the default rules.
Having written rules for iptales for almost ten years I believe it is not about the rules themselves. Here is a rule that works:

iptables -A INPUT -p tcp -m tcp --dport 1234 -m geoip --src-cc CN -j DROP

No problems it works without problems and blocks all traffic to port 1234 from China. Tested.
However, if I alter it to

iptables -A INPUT -p tcp -m tcp --dport 1234 -m geoip --src-cc US -j DROP

I get

Code:

iptables: Unknown error 4294967295
and in  /var/log/messages
Sep  2 07:35:22 myserver kernel: ipt_geoip: unable to load 'US' into memory

Having a look at the GeoIPCountryWhis.csv I find the following:

Code:

[root@myserver]# cat GeoIPCountryWhois.csv |grep US |wc -l
21775
[root@myserver]# cat GeoIPCountryWhois.csv |grep CN |wc -l
1683

So it seems to me that then number of entries in the GeoIP database for US is far too big to be loaded into some reserverd memory space.

The same happens in 64 bits as well. It may well be that the geoip module has to be altered and recompiled but what to change and where is beyond my knowledge.

EDIT: Having a look at the code it seems to me that the add_node() function is trying to allocate memory using kmalloc() which I believe is the kernel memory allocation function.
It is very possible that when that function fails the add_node() returns a NULL which then causes the system to generate the error message...

If this is the case there is very little to be done if one does not have the option of patching the kernel. Running one's OS in a VPS makes this option useless.

[mkvi]

I stumbled onto the same problem on tw

If this is the case there is very little to be done if one does not have the option of patching the kernel. Running one's OS in a VPS makes this option useless.

Asking another question. The geoip module breaks in this function which is using the kmalloc() function. My C skills are not good enough to change the the kmalloc() to anything else. Is there anybody that might help. I understood that kmalloc() can only allocate small blocks ( < 128KB) and that we need to use something else for bigger blocks. So the function is as follows:

Code:

static struct geoip_info *add_node(struct geoip_info *memcpy)
{
   struct geoip_info *p =
      (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL);

   struct geoip_subnet *s;

   if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
      return NULL;

   s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
   if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
      return NULL;

   spin_lock_bh(&geoip_lock);

   p->subnets = s;
   p->ref = 1;
   p->next = head;
   p->prev = NULL;
   if (p->next) p->next->prev = p;
   head = p;

   spin_unlock_bh(&geoip_lock);
   return p;
}

I presume that the whole thing breaks in the first kmalloc() call.

[JALR]

Did anyone ever figure this out?