Home > computers > linux > Shorewall > ShorewallCountryBasedACLs | About

Requirements

  • shorewall version 4.5.4
  • requirements :
    • xtables-addons 1.33
    • libtext-csv-xs perl module

ATTENTION : default package for xt_geoip had a verified bug that causes a kernel panic http://rsabalburo.blogspot.com/2015/02/configuring-geoip-support-for-shorewall.html. Please make sure that your distro's package do not have this bug. 

apt install xtables-addons-dkms libtext-csv-xs-perl

Get the GeoIP csv files

prepare the directory to collect the CSVs 

mkdir -p /usr/share/xt_geoip/
cd /usr/share/xt_geoip/
/usr/lib/xtables-addons/xt_geoip_dl

Build the GeoIP database

/usr/lib/xtables-addons/xt_geoip_build -D . *.csv

Load the xt_geoip kernel module

modprobe xt_geoip

To make sure it was loaded 

lsmod | grep xt_geoip

Change your shorewall policy and rules

The policy is to refuse all incoming connexions from the internet to the firewall. The rules will define exceptions to the policy to allow connexions from LAN and from a specific country, in our case Algeria (code DZ) 

root@messagerie[192.168.100.20] ~ # cat /etc/shorewall/policy
[...]
$FW     net     ACCEPT
net     $FW     DROP
root@messagerie[192.168.100.20] ~ # cat /etc/shorewall/rules
#ACTION           SOURCE                 DEST            PROTO   DEST PORTS
ACCEPT            net:192.168.0.0/16     $FW              all
ACCEPT            net:172.16.0.0/16      $FW              all
ACCEPT            net:10.0.0.0/8         $FW              all
ACCEPT            net:^[DZ]              $FW              all
ACCEPT            net                    $FW              tcp    ...,25
root@messagerie[192.168.100.20] ~ #

In particular, pay attention to this line 

ACCEPT            net:^[DZ]              $FW              all

This tells shorewall to accept connexions that are coming from the network for all the IP ranges corresponding to the DZ country code. This is possible thanks to the xt_geoip extension we installed earlier. 

ACCEPT            net                    $FW              tcp    ...,25

The last line allows any connexion from the network to port 25, this is the SMTP port which must be avilable from the outside in order to receive mail from other mail servers. Add here all the ports that you want to let open, for example the ssh port in case you want to connect from home.

That's it

shorewall check then shorewall restart and be sure to do this on a test machine first before doing things in production. Here's how to test your firewall settings by using hping3 on your own machine and tcpdump on the server. hping3 is useful to spoof your IP, so that you can test if the firewall responds or not in the three scenarios you have set :

  1. Connection from the lan (your own machine, no spoofing)
  2. Connection from the outside with a random IP
  3. Connection from the outside with an algerian IP (or the country you have whitelisted)

Troubleshooting

If you get this error

ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 5)

you should check that you've put the GeoIP databases where shorewall is configured to look at, this is usually /usr/share/xt_geoip/LE but make sure by grepping on geo on shorewall.conf

contact : @ychaouche yacinechaouche at yahoocom


QR Code
QR Code Requirements (generated for current page)