CentOS / RedHat 6.5 Xtables-addons installation, also puppet xtables-addons

Here are the steps and couple of tips on how to install xtables-addon on CentOS and RedHat 6.4 and 6.5. It might work on all 6.X releases. In centalt repo could be found the rpms and srpms for versions 1.41 and 1.47.1 versions but I couldn’t use any on the above mentioned installations.

I wrote a puppet module which will install the xtables-addons and the update script. The module can be found on https://github.com/catalinpan/puppet-xtables-addons with some more explanations on how can be used.

For the manual installation start with updating your server or skip to next command.

yum update

In case you want to install the package without updating all the packages make sure that kernel, kernel-devel and kernel-headers are exactly the same version, example 2.6.32-431.20.5.el6. Use the command:

yum install kernel-devel-`uname -r` iptables-devel kernel-headers-`uname -r`

Disable the selinux for the moment. After the installation use selinux tools to apply the right policies to the folders otherwise iptables will not start.

setenforce 0

rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

yum install gcc gcc-c++ make automake unzip zip perl perl-Text-CSV_XS xz 

cd /opt 

wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.41/xtables-addons-1.41.tar.xz 

tar -xvf xtables-addons-1.41.tar.xz

cd /opt/xtables-addons-1.41

Disable the modules which will trigger errors on the installation.

vim mconfig

#comment out the below lines 
build_RAWNAT=m
build_SYSRQ=m
build_length2=m

Proceed with the installation

./configure
make
make install

Continue with the update of the geoip database.

cd geoip/

./xt_geoip_dl

./xt_geoip_build GeoIPCountryWhois.csv

mkdir -p /usr/share/xt_geoip/

cp -r {BE,LE} /usr/share/xt_geoip/

Restart or reload iptables to enable the new module installed and create a new test rule.

service iptables restart
iptables -I INPUT -m geoip --src-cc CN -j DROP

Automate the geoip database update.

mkdir -p /opt/scripts/
vim /opt/scripts/xtables-addons-update.sh
#!/bin/sh
 GEOIP_MIRROR="http://geolite.maxmind.com/download/geoip/database"
 TMPDIR=$(mktemp -d /tmp/geoipupdate.XXXXXXXXXX)

wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPv6.csv.gz" -O "${TMPDIR}/GeoIPv6.csv.gz"
 wget --no-verbose -t 3 -T 60 "${GEOIP_MIRROR}/GeoIPCountryCSV.zip" -O "${TMPDIR}/GeoIPCountryCSV.zip"
 gzip -fdc ${TMPDIR}/GeoIPv6.csv.gz | ${TMPDIR}/GeoIPv6.csv
 unzip -o -d ${TMPDIR} ${TMPDIR}/GeoIPCountryCSV.zip
 mkdir -p /usr/share/xt_geoip
 perl /opt/xtables-addons-1.41/geoip/xt_geoip_build -D /usr/share/xt_geoip ${TMPDIR}/GeoIP*.csv
 [ -d "${TMPDIR}" ] |  rm -rf $TMPDIR

Test the script with the command below.

/bin/bash /opt/scripts/xtables-addons-update.sh

Add the script to crontab.

crontab -e

#update xtables geoip , This wil update every saturday at 09:00 the xtables IP addresses
00 09 * * 6 /bin/bash /opt/scripts/xtables-addons-update.sh

Some useful rules to accept or reject connections only from one or more countries. Add one of the below lines in to /etc/sysconfig/iptables or both if you have different policies for different countries.

-A INPUT -m state --state NEW -m geoip --src-cc GB,IE -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m geoip --src-cc GB,IE -j DROP

Good luck!