SMEServer Xt GeoIP
https://wiki.koozali.org/Xt_geoip
Contents
Maintainer
Version
{{#smeversion: smeserver-xt_geoip}}
{{#smeversion: xtables-addons }}
{{#smeversion: xtables-addons-kmod }}
Description
| * | Warning: |
| From MAXMIND site :
"Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019. Learn more on our blog." https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ Quote Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are introducing a new end-user license agreement to govern your use of the GeoLite2 databases. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. Starting December 30, 2019, downloads will no longer be served from our public GeoLite2 page, from geolite.maxmind.com/download/geoip/database/*, or from any other public URL. End Quote See the section below Installation for steps on how to migrate to the new download mechanism. |
This contribs installs xtables-addons (http://xtables-addons.sourceforge.net/geoip.php) on SME Server 9.x.
Xtables-addons includes xt_geoip used in this contribs to filter packets depending on the country they come from.
Installation
Sign up for a MaxMind account (no purchase required) https://dev.maxmind.com/geoip/geoip2/geolite2/
Important - Note your login details and in particular your AccountID and LicenceKey
Go to Services My Licence key and generate a licence key, carefully note the key details, multiple keys may be created, these details are also used in the smeserver-geoip contrib.
The following config property keys and values will be used to set the geoip config db for ongoing updates see below
AccountID ####### LicenseKey xxxxxxxxxxxxxxx
yum --enablerepo=smecontribs install smeserver-xt_geoip
you might need to update to last smeserver-yum >= 2.4.0-23 or you will get an error because of missing GPG key.
A configuration db may already be present from another contrib, check for its existence
# config show geoip geoip=service status=enabled
If it does exists and the LicenseKey and AccountID are NOT present perform the following
db configuration setprop geoip LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
If the configuration db is not present it needs to be created with following keys and properties:
db configuration set geoip service status enabled LicenseKey "YOUR LIC KEY" AccountID "YOUR ACCT ID"
# config show geoip geoip=service AccountID=xxxxxx LicenseKey=xxxxxxxxxxxxxxx status=enabled
then<syntaxhighlight lang="bash"> modprobe xt_geoip signal-event xt_geoip-update config set UnsavedChanges no </syntaxhighlight>
you might have issues with kmod not populating the weak-updates folder, which results in geoip module being not available (modprobe xt_geoip will give an error, and panel will indicate iptable geoip not working), if so just run :
weak-modules --add-kernel
Configuration
The easiest way should be to go to server manager and use the panel. There you will be able to :
- configure a global filter list of country. You can either only accept the defined countries or reject the defined countries.
- configure a per service (port), exclusion list. Similarly you can either only accept the defined countries or reject the defined countries.
- configure whether you want the global filter override the per service rule, or only filter all other ports without a specific geoip rule.
The server-manager offers also after the first 24 hours statistics.
global masq properties
you can list the available configuration with the following command :
config show masq
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
| property | default | values | |
|---|---|---|---|
| BadCountries | coma separated strings | list of 2 letters countries to block for the global filter. If empty the global filter is deactivated, max of 50 countries. | |
| GeoIP | enabled | enabled,disabled | enable or disable all the geoip filtering services. (ie per service AND global rules) |
| XtServices | imaps,pop3s,sshd,ftp,ssmtpd | coma separated strings | list of existing services in configuration db with defined TCPPorts. You can manually override the list to add your own services (see below). |
| XTGeoipRev | disabled | enabled,disabled | if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
| XTGeoipOther | disabled | enabled,disabled | if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
| XTlogmail | disabled | enabled,disabled | if enabled the daily processing sends summary messages to the administrator. If the property is empty or missing, its value is defaulted to disabled. |
To override the list of services (XtServices) : click on the button under the table of managed services. You get a panel with a list of all existing services (tcp) on the server. You can then (un)select [ctrl-click] and obtain your own services.
NOTE: masq is a the entry fo the SME firewall, there are plenty of other property for this key, please refer to manual. Only properties added by this contrib are referenced here.
NOTE2: Only Xtlogmail is not configurable using the Server-Manager.
per service properties
you can list the available configuration with the following command :
config show servicename
For the different services you will also encounter those properties
| property | default | values | |
|---|---|---|---|
| BadCountries | A1 | coma separated strings | list of 2 letters countries to block for this specific service. If empty the global filter is deactivated, max of 50 countries |
| XTGeoipRev | disabled | enabled,disabled | if enabled the "BadCountries" list will be reversed match, in other words only countries in this list will be allowed. If the property is empty or missing, its value is defaulted to disabled. |
| XTGeoipOther | disabled | enabled,disabled | if enabled the global rule will apply only to services/ports with a specific geoip defined rule. If the property is empty or missing, its value is defaulted to disabled. |
NOTE: All services have their own specific properties, please refer to manual. Only properties added by this contrib are referenced here.
Abbreviated Country Code List
(This list is available with a click on the first panel) {{#lsth:GeoIP| Abbreviated Country Code List }}
Uninstall
yum remove smeserver-xt_geoip xtables-addons xtables-addons-kmod
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-xt_geoip component or use Template:BugzillaFileBug
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component=smeserver-xt_geoip |noresultsmessage=No open bugs found.}}
Changelog
Only released version in smecontrib are listed here.
{{#smechangelog: smeserver-xt_geoip }}
