SOLVED: iptables & geoip

[daveg]

Hi guys,

I have been trying in vain to get geoip blocking working with iptables on one of my Pi's; I'm getting stupid amount of script kiddies trying to brute force my ssh daemon, fail2ban is blocking them, but figured its better to block countries I dont want access to my system at all.

I have tried following various guides to get the geoip and xtables working but am way out of my depth and am stuck.
I have got to the point where i have downloaded and converted the geoip database but have hit another brick wall as there is no xt_geoip module. So trying to use the following iptable rule fails:

Code: Select all

sudo iptables -I INPUT 1 -m state --state NEW -m geoip ! --src-cc GB -m tcp -p tcp --dport 22 -j DROP

The last part of the puzzle was to install xtables-addon-source then run

Code: Select all

sudo module-assistant --verbose --text-mode auto-install xtables-addons

which apparently will create the missing module
this fails however with the message:

Code: Select all

Bad luck, the kernel headers for the target kernel version could not be
found and you did not specify other valid kernel headers to use.


If the running kernel has been shipped with the Debian distribution, please
install the package linux-headers-4.1.19-v7+. If your kernel source tree
(or headers) is located in some non-usual location, please set the
KERNELDIRS environment variable to the path of this directory, or
(alternatively) specify the source directory we build for with the
--kernel-dir option in module-assistant calls.

I have searched the apt-cache for linux-headers-* but there aren't any for any v4 let alone the one its asking for.

As you can probably tell I'm way over my head as linux isnt really my comfort zone. I have googled my way through to this point (not really fully understanding what I'm doing) and am reaching out for some guidance as its getting really confusing now and am unsure if I'm just missing something basic.

(i'm using the Jessie Lite build from the downloads page by the way)

Many Thanks

[DougieLawson]

To get the kernel headers and a good kernel build environment use rpi-source from https://github.com/notro/rpi-source

[daveg]

Hi Dougie,

thanks for taking the time to reply.
I stumbled across rpi-source during my googling and have tried it. Well I ran it and it seems to have downloaded the sources but that was before my original post. When I ran module-assistant I got the above error (again) and I couldnt find a way past it and made the original post.

I am currently trying to compile my own kernel as im hoping

1. that will make the xt_geoip module im missing,
2. I may actually learn something about the Kernel and figure out how to remove stuff im not going to use and trim the kernel down

No harm in trying is there!

[daveg]

Actually the info about the module-assistant I gave was inaccurate.

I took a fresh Jessie install (Jessie Lite).
installed git rpi-source bc build-essential tmux xtables-addon-source

ran rpi-source which seemed to work ok
then ran the module-assistant as in the first port and hit the hurdle that has prevented me getting any further
output of module-assist

Code: Select all

 $ sudo module-assistant --verbose --text-mode auto-install xtables-addons
Updating info about xtables-addons-source

Updated infos about 1 packages
Getting source for kernel version: 4.1.19-v7+
Kernel headers available in /lib/modules/4.1.19-v7+/source
Creating symlink...
apt-get install build-essential
Reading package lists... Done
Building dependency tree
Reading state information... Done
build-essential is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Done!
unpack
Extracting the package tarball, /usr/src/xtables-addons.tar.bz2, please wait...
 tar --bzip2 -x -f /usr/src/xtables-addons.tar.bz2
"/usr/share/modass/packages/default.sh" build KVERS=4.1.19-v7+ KSRC=/lib/modules/4.1.19-v7+/source kdist_image
 debian/rules kdist_clean
/usr/bin/make -C /lib/modules/4.1.19-v7+/source M=/usr/src/modules/xtables-addons/extensions XA_ABSTOPSRCDIR=/usr/src/modules/xtables-addons XA_TOPSRCDIR=/usr/src/modules/xtables-addons DEPMOD=/bin/true clean
make[1]: Entering directory '/home/gandlers/linux-20fe468af4bb40fec0f81753da4b20a8bfc259c9'
make[1]: Leaving directory '/home/gandlers/linux-20fe468af4bb40fec0f81753da4b20a8bfc259c9'
dh_auto_clean
make[1]: Entering directory '/usr/src/modules/xtables-addons'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /tmp/buildd/xtables-addons-2.6/build-aux/missing autoconf
/bin/bash: /tmp/buildd/xtables-addons-2.6/build-aux/missing: No such file or directory
make[1]: *** [configure] Error 127
Makefile:402: recipe for target 'configure' failed
make[1]: Leaving directory '/usr/src/modules/xtables-addons'
dh_auto_clean: make -j1 distclean returned exit code 2
make: *** [override_dh_auto_clean] Error 2
debian/rules:59: recipe for target 'override_dh_auto_clean' failed
 debian/rules KVERS=4.1.19-v7+ KSRC=/lib/modules/4.1.19-v7+/source kdist_image
/usr/bin/make  -f debian/rules kdist_clean kdist_config binary-modules
make[1]: Entering directory '/usr/src/modules/xtables-addons'
/usr/bin/make -C /lib/modules/4.1.19-v7+/source M=/usr/src/modules/xtables-addons/extensions XA_ABSTOPSRCDIR=/usr/src/modules/xtables-addons XA_TOPSRCDIR=/usr/src/modules/xtables-addons DEPMOD=/bin/true clean
make[2]: Entering directory '/home/gandlers/linux-20fe468af4bb40fec0f81753da4b20a8bfc259c9'
make[2]: Leaving directory '/home/gandlers/linux-20fe468af4bb40fec0f81753da4b20a8bfc259c9'
dh_auto_clean
make[2]: Entering directory '/usr/src/modules/xtables-addons'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /tmp/buildd/xtables-addons-2.6/build-aux/missing autoconf
/bin/bash: /tmp/buildd/xtables-addons-2.6/build-aux/missing: No such file or directory
Makefile:402: recipe for target 'configure' failed
make[2]: *** [configure] Error 127
make[2]: Leaving directory '/usr/src/modules/xtables-addons'
dh_auto_clean: make -j1 distclean returned exit code 2
debian/rules:59: recipe for target 'override_dh_auto_clean' failed
make[1]: *** [override_dh_auto_clean] Error 2
make[1]: Leaving directory '/usr/src/modules/xtables-addons'
/usr/share/modass/include/common-rules.make:56: recipe for target 'kdist_build' failed
make: *** [kdist_build] Error 2
BUILD FAILED!
See /var/cache/modass/xtables-addons-source.buildlog.4.1.19-v7+.1460186706 for details.
Build failed. Press Return to continue...

I'm stuck now as I dont really know what im doing with this compiling malarkey, i can follow instructions, but when they dont work and google doesnt have the answer my random attempts from similar posts may make matters worse!

[DougieLawson]

Have you run make bcmrpi_defconfig (Pi1) or make bcm2709_defconfig (Pi2/3)?

Details here: https://www.raspberrypi.org/documentati ... uilding.md

[daveg]

I had tried that when looking at compiling the kernel, but when before starting the compile i searched the linux (kernel source) folder i couldnt find anything relating to xt_geoip so i didnt actually compile. I do need to have a play with that at some point as it could be educational.

In the above post where I took the fresh install, installed the kernel source using rpi-source then installed the xtables-addon-source and ran module-assistant I didnt run "make bcm2709_defconfig" as I wasnt aware I needed to as I want compiling a Kernel.
I also tried instaling the xtables-addon-dkms but that installed loads of kernel 3.x dependancies so I dont think thats the right way.

I will start with a fresh jessie lite install follow these steps and see if it works

• rpi-source
• apt-get install xtables-addon-source
• in the linux source folder run "make bcm2709_defconfig"
• module-assistant auto-install xtables-addon

Fingers crossed that will be the crucial missing piece of the puzzle that I'm missing, is there any mileage in KERNEL=kernel7 prior to make bcm2709_defconfig?

I'll try and report back, I'm surprised no one else has tried this on Jessie and hit the same hurdle or published an idiots guide for the likes of me to google and follow. Maybe I can make one if I get it working

[daveg]

no, im still getting the same fault!
/tmp/buildd/... file not found.
all the other messages relate to /usr/src/... so is it meant to be using /usr/src/ where its meant to be working or should there be a /tmp/buildd/ folder structure with the files it says are missing?
as I have looked in /tmp and no buildd folder when I run the script. Or is there an error in module-assistant scripts?

I'm going to try a wheezy image in case its something wrong in the jessie files.

[IngeFox]

Hi Daveg,
Many thanks to this post because I got the same problem.
Did you solved it ?

Many Thanks
Fred

[daveg]

Hi Fred,

yes , I have (somehow) managed to get it working.
watch this space as I'm going to try and re-create the process on a fresh install just to ensure I know how to do it again.
Give me a few days and I should (all being well) be able to post instructions on the steps I took.
I have just got back from a week away and will be back at work tomorrow, hopefully they dont send me working away as I will struggle to work on this if I'm away.

[daveg]

Ok Fred, I worked out the steps.

1. Boot New JESSIE-Lite Image and do the usual setup in Raspi-Config

Code: Select all

sudo raspi-config

2. Update APT and Install packages that we will need (not sure if all are needed, but this seems to work)

Code: Select all

sudo apt-get update && sudo apt-get install git bc libncurses5-dev libtext-csv-xs-perl autoconf automake libtool xutils-dev iptables-dev -y

3. Upgrade Raspbian packages

Code: Select all

sudo apt-get dist-upgrade -y

4. Install RPi-Source

Code: Select all

sudo wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source && sudo chmod +x /usr/bin/rpi-source && /usr/bin/rpi-source -q --tag-update

5. Get kernel source, which I think builds the header files that we need.

Code: Select all

cd ~

rpi-source

6. Install xtables-addons from the git repository, build and install

Code: Select all

git clone git://git.code.sf.net/p/xtables-addons/xtables-addons

cd xtables-addons

./autogen.sh

./configure

make

sudo make install

7. Copy GeoIP tools

Code: Select all

sudo mkdir /usr/share/xt_geoip

sudo cp /home/pi/xtables-addons/geoip/xt_geoip_dl /usr/share/xt_geoip/

sudo cp /home/pi/xtables-addons/geoip/xt_geoip_build /usr/share/xt_geoip/

8. Download and update GeoIP Data

Code: Select all

cd /usr/share/xt_geoip

sudo ./xt_geoip_dl

sudo ./xt_geoip_build -D . *.csv

9. Reboot

Code: Select all

sudo reboot

10. run depmod (dont know what it does, but found it in another thread looking for answers and it makes it work!)

Code: Select all

sudo depmod

11. Test if it has worked by blocking some countries.

Code: Select all

sudo iptables -A INPUT -m geoip --src-cc CN,UA,TW -j DROP

That seemed to work for me as I have just done those step myself, I think that the missing element which cause me issues was the iptables-dev package and the depmod command. Once i had stumbled over them in other threads it all came together. They may even enable the module-assistant methods to work.

Good luck and let me know how you got on.

[brovary3154]

The April 28, 2016 post helped me a ton. Thanks

I found I also needed
sudo apt-get install libnet-cidr-lite-perl
sudo apt-get install raspberrypi-kernel-headers

[Raspberry-3.14]

This can also be set up on newer nftables firewalls with Geolocation for nftables.

https://github.com/wirefalls/geo-nft