GEO IP Tables to block all foreign IP

Status
Not open for further replies.

Andrew Byrd

Member
Feb 16, 2018
309
10
18
54
I went to this website and followed the instructions on blocking all foreign IP addresses. This makes sense since all my clients are in the USA.


I run into an error message after I run the following commands:

# wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.13.tar.xz
# tar xf xtables-addons-2.13.tar.xz
# cd xtables-addons-2.13
# ./configure
# make
# make install

When I get to the ./configure, this is my output

Code:
root@SERVERONE:~/xtables-addons-2.13# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking linux/netfilter/x_tables.h usability... yes
checking linux/netfilter/x_tables.h presence... yes
checking for linux/netfilter/x_tables.h... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for xtables >= 1.4.5... no
configure: error: Package requirements (xtables >= 1.4.5) were not met:

No package 'xtables' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables libxtables_CFLAGS
and libxtables_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

It says,
configure: error: Package requirements (xtables >= 1.4.5) were not met:

No package 'xtables' found

Can anyone give me direction on what to do here?

Thank you !
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
I believe xtables provides some addons/functions for iptables that are not available in the kernel by default.

I'm not convinced about the benefits of blocking countries by IP range. Anyone serious about hacking you will just get a VPN to the US. I have tunnels to several countries for testing purposes.

You can get simple lists of IPs by country freely from ip2location.com. You can specify the countries you are interested in, then choose the download format. Two of the more useful options are iptables ACCEPT or iptables DROP statements. You can then just drop then into your iptables rules file - simple.

Below is an example, I downloaded an iptables accept list for Fiji, I chose Fiji so you can see what a download would look like without it being too large:

Code:
# -------------------------------------------------------
# Free IP2Location Firewall List by Country
# Source: https://www.ip2location.com/free/visitor-blocker
# Last Generated: 02 Jan 2022 18:19:28 GMT
# [Important] Please update this list every month
# -------------------------------------------------------
iptables -A INPUT -s 202.62.0.0/21 -j ACCEPT
iptables -A INPUT -s 202.151.24.92/30 -j ACCEPT
iptables -A INPUT -s 202.151.24.91/32 -j ACCEPT
iptables -A INPUT -s 202.151.24.88/31 -j ACCEPT
iptables -A INPUT -s 202.151.24.80/29 -j ACCEPT
iptables -A INPUT -s 202.151.24.64/28 -j ACCEPT
iptables -A INPUT -s 202.151.24.0/26 -j ACCEPT
iptables -A INPUT -s 202.151.16.0/21 -j ACCEPT
iptables -A INPUT -s 202.137.176.0/21 -j ACCEPT
iptables -A INPUT -s 202.129.228.0/22 -j ACCEPT
iptables -A INPUT -s 202.62.120.0/21 -j ACCEPT
iptables -A INPUT -s 202.62.118.0/23 -j ACCEPT
iptables -A INPUT -s 202.151.24.96/27 -j ACCEPT
iptables -A INPUT -s 202.0.158.0/24 -j ACCEPT
iptables -A INPUT -s 202.0.156.0/24 -j ACCEPT
iptables -A INPUT -s 183.81.128.0/20 -j ACCEPT
iptables -A INPUT -s 172.225.244.32/28 -j ACCEPT
iptables -A INPUT -s 172.225.156.80/28 -j ACCEPT
iptables -A INPUT -s 172.225.64.192/27 -j ACCEPT
iptables -A INPUT -s 172.225.60.48/28 -j ACCEPT
iptables -A INPUT -s 157.167.41.0/24 -j ACCEPT
iptables -A INPUT -s 146.75.190.0/31 -j ACCEPT
iptables -A INPUT -s 146.75.170.6/31 -j ACCEPT
iptables -A INPUT -s 210.7.0.144/29 -j ACCEPT
iptables -A INPUT -s 210.7.16.0/20 -j ACCEPT
iptables -A INPUT -s 210.7.8.0/21 -j ACCEPT
iptables -A INPUT -s 210.7.4.0/22 -j ACCEPT
iptables -A INPUT -s 210.7.2.0/23 -j ACCEPT
iptables -A INPUT -s 210.7.1.0/24 -j ACCEPT
iptables -A INPUT -s 210.7.0.192/26 -j ACCEPT
iptables -A INPUT -s 210.7.0.160/27 -j ACCEPT
iptables -A INPUT -s 210.7.0.159/32 -j ACCEPT
iptables -A INPUT -s 210.7.0.156/31 -j ACCEPT
iptables -A INPUT -s 210.7.0.152/30 -j ACCEPT
iptables -A INPUT -s 146.75.160.18/31 -j ACCEPT
iptables -A INPUT -s 210.7.0.128/28 -j ACCEPT
iptables -A INPUT -s 210.7.0.0/25 -j ACCEPT
iptables -A INPUT -s 203.202.235.0/24 -j ACCEPT
iptables -A INPUT -s 203.119.51.0/24 -j ACCEPT
iptables -A INPUT -s 203.83.251.0/24 -j ACCEPT
iptables -A INPUT -s 202.170.32.0/20 -j ACCEPT
iptables -A INPUT -s 202.151.28.0/22 -j ACCEPT
iptables -A INPUT -s 202.151.26.0/23 -j ACCEPT
iptables -A INPUT -s 202.151.25.0/24 -j ACCEPT
iptables -A INPUT -s 202.151.24.128/25 -j ACCEPT
iptables -A INPUT -s 103.52.88.0/22 -j ACCEPT
iptables -A INPUT -s 103.169.143.0/24 -j ACCEPT
iptables -A INPUT -s 103.148.54.0/23 -j ACCEPT
iptables -A INPUT -s 103.147.194.0/23 -j ACCEPT
iptables -A INPUT -s 103.137.129.0/24 -j ACCEPT
iptables -A INPUT -s 103.116.156.0/24 -j ACCEPT
iptables -A INPUT -s 103.101.240.0/22 -j ACCEPT
iptables -A INPUT -s 103.99.43.0/24 -j ACCEPT
iptables -A INPUT -s 103.77.225.0/24 -j ACCEPT
iptables -A INPUT -s 103.76.157.0/24 -j ACCEPT
iptables -A INPUT -s 103.71.204.0/24 -j ACCEPT
iptables -A INPUT -s 103.58.20.0/22 -j ACCEPT
iptables -A INPUT -s 103.244.228.0/22 -j ACCEPT
iptables -A INPUT -s 103.1.180.0/22 -j ACCEPT
iptables -A INPUT -s 77.70.184.0/28 -j ACCEPT
iptables -A INPUT -s 57.70.224.0/20 -j ACCEPT
iptables -A INPUT -s 57.70.162.0/23 -j ACCEPT
iptables -A INPUT -s 46.163.247.176/28 -j ACCEPT
iptables -A INPUT -s 45.138.10.212/30 -j ACCEPT
iptables -A INPUT -s 45.117.240.0/21 -j ACCEPT
iptables -A INPUT -s 45.112.224.0/22 -j ACCEPT
iptables -A INPUT -s 27.123.128.0/18 -j ACCEPT
iptables -A INPUT -s 14.137.51.0/24 -j ACCEPT
iptables -A INPUT -s 119.235.64.0/19 -j ACCEPT
iptables -A INPUT -s 144.120.128.0/17 -j ACCEPT
iptables -A INPUT -s 144.120.96.0/19 -j ACCEPT
iptables -A INPUT -s 144.120.80.0/20 -j ACCEPT
iptables -A INPUT -s 144.120.72.0/21 -j ACCEPT
iptables -A INPUT -s 144.120.68.0/22 -j ACCEPT
iptables -A INPUT -s 144.120.66.0/23 -j ACCEPT
iptables -A INPUT -s 144.120.65.0/24 -j ACCEPT
iptables -A INPUT -s 144.120.0.0/18 -j ACCEPT
iptables -A INPUT -s 124.108.24.0/21 -j ACCEPT
iptables -A INPUT -s 119.235.96.0/21 -j ACCEPT
iptables -A INPUT -s 14.137.38.0/24 -j ACCEPT
iptables -A INPUT -s 113.20.64.0/19 -j ACCEPT
iptables -A INPUT -s 110.35.88.0/21 -j ACCEPT
iptables -A INPUT -s 104.28.125.52/31 -j ACCEPT
iptables -A INPUT -s 104.28.90.52/31 -j ACCEPT
iptables -A INPUT -s 104.28.35.48/31 -j ACCEPT
iptables -A INPUT -s 104.28.29.42/32 -j ACCEPT
iptables -A INPUT -s 104.28.29.41/32 -j ACCEPT
iptables -A INPUT -s 104.28.28.48/31 -j ACCEPT
iptables -A INPUT -s 104.28.18.118/32 -j ACCEPT
iptables -A INPUT -s 104.28.18.117/32 -j ACCEPT
 
I find it more secure to simply block everything asides from a whitelist, of course this relies on static IP addresses or port knocking. There are of course downsides but it works for me. In the past however I did block based on geoblocking with lists from ipdeny.com I usually only use iptables and ipset.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Adrian - If you are dropping them why does your output all say ACCEPT?
I'm not dropping them, this would be an example where you would accept Fiji and maybe drop everything else. If you wanted to drop Fiji then you would down load the drop rule set, that would have drop statements, it's just a convenience, it's the list of IPs that matter, do with them whatever you want...
 
I'm not dropping them, this would be an example where you would accept Fiji and maybe drop everything else. If you wanted to drop Fiji then you would down load the drop rule set, that would have drop statements, it's just a convenience, it's the list of IPs that matter, do with them whatever you want...
Where did you get the country sets from? I found that when dropping countries that there are frequent changes where a country (China a good example) get through on unknown or new subnets.

Agree a white list the easiest, but possible the same as above could apply.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Where did you get the country sets from?
I don't do country black/whitelisting, I don't believe it offers comprehensive protection, but it may help in certain circumstances. Some may argue that it could give people a false sense of security. I put the links up because Andrew was interested in doing it.

The lists came from:
https://www.ip2location.com/free/

I agree that country subets change very rapidly, especially nowadays owing to IPv4 exhaustion. Helpfully ip2location.com do put a refresh frequency in the download header for each (country/region/group of countries) downloaded. If you look at the Fiji example above, they recommend once a month in the case of Fiji.
 
I agree, but surely the only comprehensive IP blocking there is is strict whitelisting? Depends on the purpose I guess, One way to see how effective your iptables is is to frequently monitor fail2ban logs, any sip (or indeed any public facing) server set up initially seems to quickly start banning entries, but with tweaking of the iptables rules it can be cut down to zero ir virually zero. Of course there's always the chance that a machine in your whitelist gets attacked and used as an attack vector. I'm no expert on iptables but have used it to good effect for many years.

sngrep is also a useful tool when monitoring sip traffic and where it's coming from, as well as watching freeswitch logs. Any other tools that are useful in this respect?

Thanks for the list url, I'm sure I'll find a good use for it ;)
 

Andrew Byrd

Member
Feb 16, 2018
309
10
18
54
Adrian again I appreciate you accommodating me and giving me good advice. I am by no means at the level I should be but I’m constantly learning day by day and people like you really help me out tremendously. Thank you again
 

Scubadave112

Member
Jan 24, 2020
122
20
18
37
I deff get some benefits to doing this but honestly most script kiddies can use a vpn service lol. I feel like fail2ban and couple tips from HERE such as limiting the source IP, change access port and using public keys are more than sufficient.

I also have seen lots of different methods for 2FA for SSH connections using libpam-google-authenticator, that would be pretty gangsta but yeahhh, having to deal with and maintain this type of DB seams nuts when u think of how easy it is for the most simple minded person walk around it with $5 vpn service
 
Status
Not open for further replies.