geoip 를 이용한 국가별 접속 제한 기능 사용을 위한 커널패치 메뉴얼

1. people.netfilter.org/peejix/geoip/database 에서 geoipdb.bin과 geoipdb.idx 파일 다운로드

2. /var/geoip 디렉토리 생성후 위에서 다운받은 두개 파일을 여기에 복사한다.
   - geoipdb.bin: 국가별 ip 대역에 대한 바이너리 포맷의 테이터
   - geoipdb.idx: 인덱스 파일

3. geoip 를 사용하기 위해 iptables와 커널 패치
    - /usr/src/linux 또는 다른 위치에 커널 소스가 있는지 확인 (새로 커널을 업데이트 하려고 할때는 /usr/src/linux 에 커널 소스를 위치시키면 된다)
    - iptables 소스 버전 다운로드
      wget http://iptables.org/projects/iptables/files/iptables-1.3.8.tar.bz2
    - 패치 다운로드
       http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
    - 패치 압축해제 및 설치
       tar xfz patch-o-maticc-ng-XXXXXX.tar.gz
       cd pathch-o-matic-ng
 
[root@sfw-2 patch-o-matic-ng-20071009]# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/linux
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/src/iptables-1.3.8
Loading patchlet definitions......................... done

Excellent! Source trees are ready for compilation.

[root@sfw-2 patch-o-matic-ng-20071009]# ./runme geoip
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/linux
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/src/iptables-1.3.8
Loading patchlet definitions......................... done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.22, /usr/src/linux
Iptables: 1.3.8, /root/src/iptables-1.3.8
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing geoip... not applied
The geoip patch:
   Author: Samuel Jean <jix@bugmachine.ca>; Nicolas Bouliane <nib@bugmachine.ca>
   Status: Stable

This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)

        [!]   --dst-cc, --destination-country country[,country,country,...]
                                             
                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

Recompile the kernel image (if there are non-modular netfilter modules).
Recompile the netfilter kernel modules.
Recompile the iptables binaries.

- 커널 재 컴파일
(만약 커널 2.6.22이상일 경우 geoip-match-2.6.22.patch를 실행한 후에 커널을 컴파일 해야 에러가 생기지 않는다).
[root@nhkotest src]# patch -d /usr/src/linux < geoip-match-2.6.22.patch
can't find file to patch at input line 4
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|diff -urN geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c
|--- geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c    2006-12-06 03:47:46.000000000 +0100
|+++ geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c     2007-07-10 17:17:11.599991698 +0200
--------------------------
File to patch: /usr/src/linux/net/ipv4/netfilter/ipt_geoip.c
patching file /usr/src/linux/net/ipv4/netfilter/ipt_geoip.c
[root@nhkotest src]#

 

       cd /usr/src/linux; make menuconfig
       아래의 메뉴로 들어가 geoip match support 를 모듈로 포함 또는 정적으로 포함 시키고 저장한다.
       ====================================
Device Drivers
-> Networking support
-> Networking support
-> Networking options
-> Network packet filtering (replaces ipchains)
-> IP: Netfilter Configuration
-> [*] geoip match support
       ====================================
      커널 재컴파일 작업 진행
    - iptables 소스 컴파일 설치

4. 룰셋셋팅
   @ 일본과 미국에서의 웹 접속을 차단하고 다른 곳에서의 접속은 허용할때
    iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc JP,US -j DROP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
   @한국에서의 ftp만 허용하고 나머지 국가에서의 접속은 차단하고자 할때
    iptables -A INPUT -p tcp --dport 21 -m geoip --src-cc KR -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j DROP
 
    또는 iptables -A INPUT -p tcp --dport 21 -m geoip ! --src-cc KR -j DROP

* 메뉴얼
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-2.html#ss2.1