geoip for IP-Tables in CoreOS
319 views
Skip to first unread message
Andreas Pieber
Jun 19, 2016, 2:35:04 AM6/19/16
to CoreOS User
Hey,
Since our userbase is currently quite limitied to specific countries it would like to generally increase security by only allowing traffic from those countries. As far as I know http://www.wipmania.com/en/blog/geoip-for-iptables/ should be the "weapon of my choice", but the geoip module is not enabled by default.
iptablestest core # iptables -A INPUT -m state --state NEW -m geoip ! --source-country AT,DE -j DROP
iptables v1.4.21: Couldn't load match `geoip':No such file or directory
iptables v1.4.21: Couldn't load match `geoip':No such file or directory
Does anyone has any experience with setting up geoip on coreos? Any help would be appreciated!
Thank you very much and kind regards,
Andreas
Michael Marineau
Jun 19, 2016, 10:50:39 PM6/19/16
to Andreas Pieber, CoreOS User
Building out-of-tree modules on CoreOS is a bit awkward and I don't
generally recommend it. But For this use case it should be fairly
straightforward to generate a list of the ip prefixes you want from
your geoip db and load them into the kernel as an ipset.
> --
> You received this message because you are subscribed to the Google Groups
> "CoreOS User" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to coreos-user...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
generally recommend it. But For this use case it should be fairly
straightforward to generate a list of the ip prefixes you want from
your geoip db and load them into the kernel as an ipset.
> You received this message because you are subscribed to the Google Groups
> "CoreOS User" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to coreos-user...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages