Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

This tutorial will explain how to install aditional modules for the kernel to use with iptables rules sets (netfilter modules). Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages.
Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel.

A list of all available modules can be found here and their usage here.if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-3-0’)};


1 Preliminary Note

Before we start, make sure that SELinux is disabled. Run


or edit /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.

to disable SELinux, and …

echo 0 > /selinux/enforce

… for the change to take effect.


2 Supported Configurations

* iptables >= 1.4.3

* kernel-source >= 2.6.29if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-4-0’)};

For ipset-6 you need:

* libmnl

* Linux kernel >= 2.6.35


3 Installing Packages

Note: you’ll need the same version of kernel-devel package as your current kernel!if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-box-4-0’)};if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-box-4-0_1’)}; .box-4-multi-110{border:none !important;display:block !important;float:none;line-height:0px;margin-bottom:15px !important;margin-left:0px !important;margin-right:0px !important;margin-top:15px !important;min-height:250px;min-width:250px;text-align:center !important;}

uname -r
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel

In this case kernel-devel-2.6.32-71.el6.i686

Install rpmforge repo for perl-Text-CSV_XS package:

rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
yum install perl-Text-CSV_XS


4 Compile xtables-addons

Get xtables-addons source and unarchive it:

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.37/xtables-addons-1.37.tar.xz
tar xvf xtables-addons-1.37.tar.xz

Compile modules:

cd xtables-addons-1.37/

Note: You can edit the “mconfig” file to select what modules to build and install. By default, all modules are enabled.

make && make install


5 Setting Up geoip Module

Create geoip database for iptables geoip match:

cd geoip/

Using the scripts form geoip folder download and compile MaxMind GeoIPCountry database:

./xt_geoip_build GeoIPCountryWhois.csv

Move the files to their default location:

mkdir -p /usr/share/xt_geoip/
cp -r {BE,LE} /usr/share/xt_geoip/

Test it like this:

iptables -I INPUT -m geoip --src-cc CN -j DROP

This will drop all incoming connections from China.


Xtables-addons: http://xtables-addons.sourceforge.net/

Xtables-addons modules: http://xtables-addons.sourceforge.net/modules.php

Xtables-addons man page: http://dev.medozas.de/files/xtables/xtables-addons.8.html

MaxMind GeoIP: http://geolite.maxmind.com/download/geoip/database

CentOS: http://www.centos.org/

About the Author

Leave a Reply