geo-ip setting

test 환경 centos 5.8 32bit

기존의 패키지로 설치된 iptables 를 삭제하고 진행하는 것이 깔끔하게 처리 된다.

[root@localhos ~]$ cd /usr/local/src
[root@localhost /usr/local/src]$  wget http://nchc.dl.sourceforge.net/sourceforge/xtables-addons/xtables-addons-1.15.tar.bz2
[root@localhost /usr/local/src]$ wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
[root@localhost /usr/local/src]$  wget ftp://distfiles.pld-linux.org/distfiles/by-md5/b/b/bbcb1edd6ce2ece229d3e61173c7cadc/geoip_src.tar.bz2
[root@localhost /usr/local/src]$ wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.3.2.tar.bz2

[root@localhost /usr/local/src]$ tar xvfj iptables-1.4.3.2.tar.bz2
[root@localhost /usr/local/src]$ cd iptables-1.4.3.2
[root@localhost /usr/local/src]$ ./configure
[root@localhost /usr/local/src]$ make
[root@localhost /usr/local/src]$ make install

[root@localhost /usr/local/src]$ tar xvfj xtables-addons-1.15.tar.bz2
[root@localhost /usr/local/src]$ xtables-addons-1.15
[root@localhost /usr/local/src]$ ./configure --with-xtables=/usr/local
 

#####make 치면 다음과 같은 에러가 나올 경우############
  
---------------------------------------------------------------------------
make  all-recursive
make[1]: Entering directory `/usr/local/src/20101224/xtables-addons-1.15'
Making all in extensions
make[2]: Entering directory `/usr/local/src/20101224/xtables-addons-1.15/extensions'
  GEN      modules
make[3]: Entering directory `/usr/src/kernels/2.6.18-194.26.1.el5-i686'
  CC [M]  /usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.o
In file included from /usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.c:20:
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_skbuff.h:29: error: redefinition of 'skb_reset_network_header'
include/linux/skbuff.h:1122: error: previous definition of 'skb_reset_network_header' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_skbuff.h:33: error: redefinition of 'tcp_hdr'
include/linux/tcp.h:169: error: previous definition of 'tcp_hdr' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_skbuff.h:37: error: redefinition of 'udp_hdr'
include/linux/udp.h:33: error: previous definition of 'udp_hdr' was here
In file included from /usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.c:21:
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtnu.h:9: error: redefinition of typedef 'bool'
include/linux/types.h:36: error: previous declaration of 'bool' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtnu.h:10: error: redeclaration of enumerator 'false'
include/linux/stddef.h:16: error: previous definition of 'false' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtnu.h:10: error: redeclaration of enumerator 'true'
include/linux/stddef.h:18: error: previous definition of 'true' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtnu.h:131: error: redefinition of 'csum_unfold'
include/net/checksum.h:88: error: previous definition of 'csum_unfold' was here
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.c: In function 'xtnu_ip_route_me_harder':
/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.c:376: error: too many arguments to function 'ip_route_me_harder'
make[4]: *** [/usr/local/src/20101224/xtables-addons-1.15/extensions/compat_xtables.o] 오류 1
make[3]: *** [_module_/usr/local/src/20101224/xtables-addons-1.15/extensions] 오류 2
make[3]: Leaving directory `/usr/src/kernels/2.6.18-194.26.1.el5-i686'
make[2]: *** [modules] 오류 2
make[2]: Leaving directory `/usr/local/src/20101224/xtables-addons-1.15/extensions'
make[1]: *** [all-recursive] 오류 1
make[1]: Leaving directory `/usr/local/src/20101224/xtables-addons-1.15'
make: *** [all] 오류 2
---------------------------------------------------------------------------

  다음과 같이 처리 후 진행하도록 한다.


[root@localhost /usr/local/src]$  vi extensions/compat_skbuff.h

28~39 라인 주석처리

     28 /* static inline void skb_reset_network_header(struct sk_buff *skb)
     29 {
     30     skb->nh.raw = skb->data;
     31 }
     32 static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
     33 {
     34     return (void *)skb_transport_header(skb);
     35 }
     36 static inline struct udphdr *udp_hdr(const struct sk_buff *skb)
     37 {
     38     return (void *)skb_transport_header(skb);
     39 } */

[root@localhost /usr/local/src]$  vi extensions/compat_xtables.c

372 라인 변경

372 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)  
     --> #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) 로 수정

[root@localhost /usr/local/src]$  vi extensions/compat_xtnu.h

9~10 라인 주석처리

      9 /* typedef _Bool bool;
     10 enum { false = 0, true = 1, };
     11 */

14~16 라인 주석처리 

14 /*typedef __u16 __bitwise __sum16;
15 typedef __u32 __bitwise __wsum;
16 */

131~134라인 주석처리

    131 /*static inline __wsum csum_unfold(__sum16 n)
    132 {
    133     return (__force __wsum)n;
    134 }*/

===========================================

[root@localhost /usr/local/src]$make
[root@localhost /usr/local/src]$make install


[root@localhost /usr/local/src]$ mkdir -p /var/geoip/LE
[root@localhost /usr/local/src]$ tar xvfj geoip_src.tar.bz2
[root@localhost /usr/local/src]$ unzip GeoIPCountryCSV.zip
[root@localhost /usr/local/src]$ cp geoip_csv_iv0.pl /var/geoip/LE
[root@localhost /usr/local/src]$ mv GeoIPCountryWhois.csv /var/geoip/LE
[root@localhost /usr/local/src]$ cd /var/geoip/LE

  아래 명령을 실행하면 에러메세지가 나온다.

---------------------------------------------------------------------------
  # ./geoip_csv_iv0.pl GeoIPCountryWhois.csv
Can't locate Text/CSV_XS.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at ./geoip_csv_iv0.pl line 12.
BEGIN failed--compilation aborted at ./geoip_csv_iv0.pl line 12.
---------------------------------------------------------------------------

  다음과 같이 처리한다음 진행한다.
  
[root@localhost /usr/local/src]$  perl -MCPAN -e shell

---------------------------------------------------------------------------
  모든 과정을 따로 설정해줄 필요는 없으므로, 엔터로 진행한다.
  참, 실행전 자체 방화벽이 올려져 있다면 잠시 내려놓도록한다.
---------------------------------------------------------------------------

  엔터로 진행중 계속 물어보는 부분이 나타날 것이다. 

국가 선택부분인데. ( 번호가 약간 다를수 있다 )

  # 대륙/국가를 선택한다. 

(1) Africa
(2) Asia
(3) Australasia
(4) Central America
(5) Europe
(6) North America
(7) Oceania
(8) South America
Select your continent (or several nearby continents) [] 2
Sorry! since you don't have any existing picks, you must make a
geographic selection.

(1) China
(2) Hong Kong
(3) India
(4) Indonesia
(5) Japan
(6) Republic of Korea
(7) Russia
(8) Singapore
(9) Taiwan
(10) Thailand
(11) Turkey
Select your country (or several nearby countries) [] 6
Sorry! since you don't have any existing picks, you must make a
geographic selection.


  # 적당하게 파일 받을 곳(URL)을 선택한다.

(1) ftp://cpan.mirror.cdnetworks.com/CPAN/
(2) ftp://cpan.sarang.net/CPAN/
(3) ftp://ftp.kaist.ac.kr/pub/CPAN
Select as many URLs as you like (by number),
put them on one line, separated by blanks, e.g. '1 4 5' [] 1 2 3

Enter another URL or RETURN to quit: []
New set of picks:
  ftp://cpan.mirror.cdnetworks.com/CPAN/
  ftp://cpan.sarang.net/CPAN/
  ftp://ftp.kaist.ac.kr/pub/CPAN


commit: wrote /usr/lib/perl5/5.8.8/CPAN/Config.pm
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.7602)
ReadLine support available (try 'install Bundle::CPAN')

  cpan> 



프롬프트가 떨어졌다면 다음과 같이 설치 명령을 내린다.

  capn> install Getopt::Long
  capn> install IO::Handle
  capn> install Text::CSV_XS

  설치를 마쳤다면 quit 명령으로 빠져 나오자.
  cpan> quit

이제 에러가 났던 명령을 다시 실행하면 국가별로 KR.iv0 와 같은 파일이 생성된다.

[root@localhost /usr/local/src]$  ./geoip_csv_iv0.pl GeoIPCountryWhois.csv

-------------------------------------------------
[생략]
   76 ranges for JM Jamaica
   94 ranges for JO Jordan
1745 ranges for JP Japan
  150 ranges for KE Kenya
   38 ranges for KG Kyrgyzstan
   75 ranges for KH Cambodia
    2 ranges for KI Kiribati
    5 ranges for KM Comoros
   63 ranges for KN Saint Kitts and Nevis
    5 ranges for KP Korea, Democratic People's Republic of
  632 ranges for KR Korea, Republic of
  166 ranges for KW Kuwait

[생략]
-------------------------------------------------

이제 실제로 국가대역을 막아볼 차례다.
중국에서 들어오는 IP 에 대해 서버의 80번 포트 서비스 요청을 거부하는 명령을 내려본다.
 # /usr/local/sbin/iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc CN -j DROP
 정상적으로 프롬프트가 떨어졌다면 성공이다.

주) /usr/local/sbin/iptables 로 실행하는 것은 소스로 설치한 iptables 1.4.3.2 버전이이 위치로 설치되기때문임

rpm 으로 설치한 버전은 geoip 라이브러리를 인식하지 못하기 때문에  에러 메세지가 나올 수 있다.

---------------------------------------------------------------------------------------
iptables v1.3.5: Couldn't load match `geoip':/lib/iptables/libipt_geoip.so: cannot open shared object file: No such file or directory
---------------------------------------------------------------------------------------

아래와 같이 추가되었다면 성공한 것이다.

[root@localhost /usr/local/src]$ iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 Source country: CN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


#### 서버에서 적용 ####

1. 먼저, ACCEPT 시킬 IP 에 대해 열거, 후에 해당 국가 IP 대역 DROP 정책 실시 (순서 바뀌면 ACCEPT 적용 안됨)

2. --src-cc 뒤에 국가 코드는 고정 두자리로 /var/geoip/LE 내에  **.iv0 파일의 국가 코드와 일치함.
예) 한국 KR, 중국 CN, 일본 JP, 미국 US, 캐나다 CA 등

#### 중국 IP 대역중 특정 IP에 대해서만 접근 허용 ####
$IPTABLES -A INPUT -s 11.22.33.11 -j ACCEPT

#### 중국 IP 대역 모든 서비스 접근 금지 ####
$IPTABLES  -A INPUT -m geoip --src-cc CN -j DROP