CentOS - Jan 2019 - CentOS 6.X, iptables 1.47 and GeoLite2 Country Database

Hi

Specs in subject line: CentOS 6.X all latest patches), iptables 1.47, Apache2.2

I use the Geolite legacy databases together with iptables 1.47 to filter traffic
for a variety of ports and only allow .AU traffic to have access.

Maxmind (https://dev.maxmind.com/geoip/geoip2/geolite2/) changed the default DB
to the latest version which is GeoLite2, this leaves all users in need of the
old Geolite Legacy database in the dark, they cannot update.

If I download a later version of xtables it will complain that it requires
iptable>1.6 which I do not think I can get going on CentOS 6.X.


Is there a way that I can convert Geolite2 CSV files to Geolite Legacy CSV Files
and then compile those into BE/LE?

Are there any other ways I can use Geolite2 on a CentOS 6.X system?

Does anyone have other ideas how to tackle this?

(this made me really sleep well!)


thanks
Jobst


-- 
"XP: If you are nine years old you are just going to love it.  If
you're a few years older you'll resent the choking paternalistic
atmosphere of vapid gee-whiz kiddie entertainment (babysitting), euphemism and
fake-friendly bullying."

  | |0| |   Jobst Schmalenbach,
  | | |0|   Barrett & Sales Essentials
  |0|0|0|   Caulfield South, 3162, Australia

On 14/01/2019 07:09, Jobst Schmalenbach wrote:
> Hi
> 
> Specs in subject line: CentOS 6.X all latest patches), iptables 1.47,
Apache2.2
> 
> I use the Geolite legacy databases together with iptables 1.47 to filter
traffic for a variety of ports and only allow .AU traffic to have access.
> 
I use ipdeny's aggregated country lists to do the same thing:

http://www.ipdeny.com/ipblocks/data/aggregated/

I just feed this data directly into ipset/iptables via a script running 
on my firewall (not a C6 box). ipset is a really efficient way of doing 
this.
> Maxmind (https://dev.maxmind.com/geoip/geoip2/geolite2/) changed the
default DB to the latest version which is GeoLite2, this leaves all users in
need of the old Geolite Legacy database in the dark, they cannot update.
> 
> If I download a later version of xtables it will complain that it requires
iptable>1.6 which I do not think I can get going on CentOS 6.X.
> 
> 
> Is there a way that I can convert Geolite2 CSV files to Geolite Legacy CSV
Files and then compile those into BE/LE?
> 
> Are there any other ways I can use Geolite2 on a CentOS 6.X system?
> 
> Does anyone have other ideas how to tackle this?
> 
> (this made me really sleep well!)
> 
> 
> thanks
> Jobst
> 
>

On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org)
wrote:
> On 14/01/2019 07:09, Jobst Schmalenbach wrote:
> > Hi
> I use ipdeny's aggregated country lists to do the same thing:
> 
> http://www.ipdeny.com/ipblocks/data/aggregated/
> 
> I just feed this data directly into ipset/iptables via a script running on
> my firewall (not a C6 box). ipset is a really efficient way of doing this.

Do you create a separate table, then feed every IP address (via ipset) into this
chain?
Would you mind sharing this script?

thx
Jobst



-- 
Computers are like air conditioners, they stop working properly if you open
Windows!

  | |0| |   Jobst Schmalenbach, General Manager
  | | |0|   Barrett & Sales Essentials
  |0|0|0|   +61 3 9533 0000, POBox 277, Caulfield South, 3162, Australia

--On Monday, January 14, 2019 7:29 AM +0000 Phil Perry <pperry at
elrepo.org>
wrote:
> I use ipdeny's aggregated country lists to do the same thing:
>
> http://www.ipdeny.com/ipblocks/data/aggregated/
>
> I just feed this data directly into ipset/iptables via a script running
> on my firewall (not a C6 box). ipset is a really efficient way of doing
> this.
CentOS 7 uses firewalld which has direct support for ipsets in XML form. 
Hopefully the site will soon supply the data in that format. (But it's not 
hard to generate the files from their format.)

Note that a zip file of all the individual country files can be downloaded 
here:

http://www.ipdeny.com/ipblocks/