Home > computers > linux > Shorewall > ShorewallCountryBasedACLs | About
Requirements
- shorewall version 4.5.4
- requirements :
- xtables-addons 1.33
- libtext-csv-xs perl module
ATTENTION
: default package for xt_geoip had a verified bug that causes a kernel panic http://rsabalburo.blogspot.com/2015/02/configuring-geoip-support-for-shorewall.html. Please make sure that your distro's package do not have this bug.
apt install xtables-addons-dkms libtext-csv-xs-perl
Get the GeoIP csv files
prepare the directory to collect the CSVs
mkdir -p /usr/share/xt_geoip/ cd /usr/share/xt_geoip/ /usr/lib/xtables-addons/xt_geoip_dl
Build the GeoIP database
/usr/lib/xtables-addons/xt_geoip_build -D . *.csv
Load the xt_geoip kernel module
modprobe xt_geoip
To make sure it was loaded
lsmod | grep xt_geoip
Change your shorewall policy and rules
The policy is to refuse all incoming connexions from the internet to the firewall. The rules will define exceptions to the policy to allow connexions from LAN and from a specific country, in our case Algeria (code DZ)
root@messagerie[192.168.100.20] ~ # cat /etc/shorewall/policy [...] $FW net ACCEPT net $FW DROP root@messagerie[192.168.100.20] ~ # cat /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST PORTS ACCEPT net:192.168.0.0/16 $FW all ACCEPT net:172.16.0.0/16 $FW all ACCEPT net:10.0.0.0/8 $FW all ACCEPT net:^[DZ] $FW all ACCEPT net $FW tcp ...,25 root@messagerie[192.168.100.20] ~ #
In particular, pay attention to this line
ACCEPT net:^[DZ] $FW all
This tells shorewall to accept connexions that are coming from the network for all the IP ranges corresponding to the DZ country code. This is possible thanks to the xt_geoip
extension we installed earlier.
ACCEPT net $FW tcp ...,25
The last line allows any connexion from the network to port 25, this is the SMTP port which must be avilable from the outside in order to receive mail from other mail servers. Add here all the ports that you want to let open, for example the ssh port in case you want to connect from home.
That's it
shorewall check
then shorewall restart
and be sure to do this on a test machine first before doing things in production. Here's how to test your firewall settings by using hping3 on your own machine and tcpdump on the server. hping3 is useful to spoof your IP, so that you can test if the firewall responds or not in the three scenarios you have set :
- Connection from the lan (your own machine, no spoofing)
- Connection from the outside with a random IP
- Connection from the outside with an algerian IP (or the country you have whitelisted)
Troubleshooting
If you get this error
ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 5)
you should check that you've put the GeoIP databases where shorewall is configured to look at, this is usually /usr/share/xt_geoip/LE
but make sure by grepping on geo
on shorewall.conf
contact : @ychaouche yacinechaouche at yahoocom