ntop / ipt_geofence Goto Github PK

View Code? Open in Web Editor NEW

101.0 5.0 16.0 502 KB

Geographical host protection for Linux/FreeBSD

License: GNU Affero General Public License v3.0

C++ 84.29% Makefile 2.53% Shell 7.41% M4 3.20% Python 2.57%

netfilter cybersecurity linux firewall

ipt_geofence's Introduction

ipt_geofence

Geographical host protection for Linux and FreeBSD

This tool allows you to protect your host/network by preventing communications with unwanted countries (aka geofencing). Furthermore, it allows you to specify a list of blacklists that enable you to drop well-known attackers.

Prerequisites

You need to install GeoIP libraries, Netfilter Queue, curl and JSONCPP packages in addition to the compiler.

For Ubuntu/Debian based systems do: sudo apt-get install build-essential autoconf automake autogen libmaxminddb-dev libcurl4-openssl-dev libnetfilter-queue-dev libjsoncpp-dev

On FreeBSD pkg install -y autoconf automake curl libmaxminddb jsoncpp libzmq4 python3

The tool also needs a GeoIP database that you can obtain from sites such as db-ip or maxmind.

Configuration

This tool uses NFQUEUE to receive packets from kernel and analyze them in user-space. This means that you need to confiugure the Linux firewall prior to run the application. We provide you a simple configuration file that shows you how to send selected packets to the application for inspection.

You also need to configure a configuration file for your rules. We provide sample_config.json as a configuration example.

Binary Packages

Under packages/debian you can build a binary package for easy install on Debian/Ubuntu-based systems.

Usage

Supposing the you have configure the firewall as described above, you need to start (as root) the tool as follows

ipt_geofence -c config.json -m dbip-country-lite.mmdb

Performance

On Linux as only one packet per connection is sent to user-space, you will basically not observe any noticeable performance degradation. On FreeBSD instead, all packets have to pas through the application.

ipt_geofence's People

Contributors

Stargazers

Watchers

Forkers

simonepassera rodrigo-casella frenzis01 salvogs alenzi14 lorenamodica ambraxoxo yuricaprini leomanne lucadn1999 dhy19971 giacomo29 logan007 manuelceroni mkll aldobuzi

ipt_geofence's Issues

Periodically Reload Blacklists

In case the configuration has blacklists configured, it is required to periodically reload them as specified by a JSON file parameter.

firewalld and nftables

I was playing with Fedora Linux 36 and ipt_geofence.
Fedora Linux uses firewalld and nftables as its default backend (not iptables).

Please note: I'm not an expert of such topics (I'm not an expert in anything TBH).
The possibilities to configure firewalld are powerful, but still pretty basic. I was looking for a way to preserve the default firewalld configuration (rules) and to add the rules required by ipt_geofence (forwarding packets to NFQUEUE, right?) using rich language. However (but I can be wrong) also rich language is limited as well. There is also a direct option, but it is deprecated since it still expect iptables as the backend (you will end up with a mix of nfs and iptables rules).

So.
Loading the example iptables script, dumping these iptables rules to a file, then issuing iptables-restore-translate -f /root/iptables.dump > /etc/nftables/ipt_geofence.nft it is possible to translate iptables rules to nftables syntax.

ipt_geofence.nft.txt

Then, it is possible to load these rules without flushing the current firewall configuration with nft -f /etc/nftables/ipt_geofence.nft
It seems that packets are passed to ipt_geofence and expected IP addresses are blocked.

It is also possible to remove such nftables rules using a file containing these lines:

table ip mangle
delete table ip mangle

And read it again with nft -f /etc/nftables/stop-ipt_geofence.nft
In this way the other rules are preserved.

ipt_geofence.nft.txt

Local IPs get banned

Hello,

I see local IPs get banned:

root@UniFi-Video:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N IPT_GEOFENCE_BLACKLIST
-N f2b-sshd
-A INPUT -j IPT_GEOFENCE_BLACKLIST
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.133/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.135/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.143/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.137/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.134/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.132/32 -j DROP
-A IPT_GEOFENCE_BLACKLIST -s 192.168.123.130/32 -j DROP

I tried adding them in whitelist.txt, but they got auto removed, is there any logic that does this? Or maybe I have a sync issue.
Or is there any other way to avoid blocking local IPs or CIDR blocks?

Thank you! Super nice code btw!

Ban Hosts of Dropped Flows

In case a flow has been banned on port X, such host needs to be banned on all ports (even those not monitored) of the same host. In essence turn this tool into an active honeypot.

Rework JSON Configuration

The JSON configuration is not much readable and some changes are required.This is an example of a better JSON that could replace the current one

{
	"queue_id": 0,
	"default_policy": "DROP",
	"monitored_ports": {
		"tcp": [22, 80, 443],
		"udp": [],
		"ignored_ports": [123]
	},
	"policy": {
		"drop": {
			"countries_whitelist": ["IT", "DE", "CH", "NL"],
			"continents_whitelist": ["NA"]
		},
		"pass": {
			"countries_blacklist": ["RU", "BY"],
			"continents_blacklist": ["EU"]
		}
	},
	"blacklists": [
		"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield_7d.netset",
		"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset",
		"https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt",
		"https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
		"https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
		"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"
	]
}

How to run the tool - >ipt_geofence: command not found

Hi all,

I've followed the readme file and I've downloaded a db file and made some test config.json file, but whenever I use your command ipt_geofence -c config.json -m dbip-country-lite.mmdb I got that error that doesn't know what ipt_geofence command.

I think you have to be more explicit in order how to install properly the file. Could you please guide me on what next steps man should follow in order to test the tool? I think that the Instalation step should be edited and provide an additional steps with regards to the next commands we need to run in order to make the file, or the executable to be run so the tool will be installed properly.

Thank you in advance!