Prerequisites:
A Linux or (*BSD) based router. - I'm using OpenWRT.
Installation:
You can install iptables-mod-geoip from the LuCI web interface
System > Software > Available packages > L
but you will get your hands dirty with the shell anyway.
And that's it. You have it installed.
But this can't go so easy does it? Yes. The problem is the need of the IP ranges to countries mapping.
I won't cover this because there is much info out there where (and how) you can get these. Look here or here or here or here. And if it's still not clear, look here.
When we have it, we suddenly realize that it's more than 4MB in size so we will install just those countries, we will actualy use. For me it's Slovakia. So I'll need:
/usr/share/xt_geoip/BE/SK.iv4
/usr/share/xt_geoip/BE/SK.iv6
/usr/share/xt_geoip/LE/SK.iv4
/usr/share/xt_geoip/LE/SK.iv6
First install iptables-mod-geoip module if you didn't already.
opkg install iptables-mod-geoip
Create directories
mkdir -p /usr/share/xt_geoip/BE /usr/share/xt_geoip/LE
And copy in extracted country mappings
scp me@mypc:/usr/share/xt_geoip/BE/SK.iv? /usr/share/xt_geoip/BE
scp me@mypc:/usr/share/xt_geoip/LE/SK.iv? /usr/share/xt_geoip/LE
And that's pretty much it!
Now you can create your custom rules with LuCI through Network > Firewall > Custom rules or from the command line directly.
Say we want to allow SSH:
iptables -I zone_wan -p tcp --dport 22 -m geoip --src-cc SK -j ACCEPT
But if you want your rules to survive a reboot you'l have to put them in /etc/firewall.user file anyway.
That's all from me now.
Thanks for reading, and leave your feedback in the comments below.
Žiadne komentáre:
Zverejnenie komentára