Linux Gurus: HELP!

[wardmundy]

We need a little Linux compiling expertise. We're trying to get this article implemented for country-based IP filtering with IPtables on PIAF. See this Nerd Vittles article for background. We get as far as you see in the code below, then it blows up apparently because there is no ip_conntrack_standalone module. Any ideas

wget ftp://ftp.isu.edu.tw/pub/Linux/CentO...-4.el5.src.rpm

cd /root/ipcountry
mkdir geoip
wget ftp://ftp.isu.edu.tw/pub/Linux/CentO...-4.el5.src.rpm
cd geoip
rpm2cpio ../iptables-1.3.5-4.el5.src.rpm | cpio -idv
tar jxvf iptables-1.3.5.tar.bz2

wget http://ftp.netfilter.org/pub/patch-o...070414.tar.bz2
tar xjf patch-o-matic-ng-20070414.tar.bz2

wget http://people.netfilter.org/peejix/p...s/geoip.tar.gz


cd patch-o-matic-ng-20070414/

KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/ IPTABLES_DIR=~/ipcountry/geoip/iptables-1.3.5/ ./runme geoip

y to apply patch

cd /usr/src/kernels/2.6.18-128.el5-i686/
make oldconfig
m
make modules_prepare
make -C $(pwd) M=net/ipv4/netfilter/ modules


No rule to make target `net/ipv4/netfilter/ip_conntrack_standalone.o', needed by `net/ipv4/netfilter/ip_conntrack.o'. Stop.

[wardmundy]

bumpety bump

[vcallaway]

You do know that by default pbxiaf has the setting:

exclude=kernel*

in the /etc/yum.repos.d/CentOS-Base.repo file.

You need to remove that line and do "yum install kernel-devel" to get the development files.

If this does not get you down the right path I will spend some time on it later today.

[jroper]

Hi

Kernel-devel is installed by default and has to be to compile zaptel/dahdi.

I'm nervous about the direction of this because of the need to recompile the kernel - and recompile if it is ever upgraded. However, this project looks interesting\;-

http://xtables-addons.sourceforge.net/

However, I've not had too much luck with that either, the later versions will not compile against the kernel centos uses,, becasue of the conservative upgrade path of centos (RHEL) but version 1.12 is compatible with our kernel, but fails on the "make"

The objective is to get to a system that will only allow hosts from a certain country using iptables, and without causing more than a percentage point or two of load on the processor.

Joe

[wardmundy]

If I read the original article correctly, the kernel really isn't recompiled.

[vcallaway]

Did a little digging around.

xtables is the way to go but you have upgrade both the kernel and iptables.

Best setup is kernel 2.6.30 + iptables 1.4.4 + xtables-addons 1.17.

xtables requires iptables >= 1.4.3

Those versions are not yet released for Centos. I loaded up a Fedora server, installed the RPM's and off we go. Don't know what else will break because of it though.

Ubuntu is currently at kernel 2.6.28, iptables 1.4.1 so even it is behind the curve. Personally I think it is too early to adopt this bit of technology.

I will also play devils advocate on this. I think it is a bad idea. One of the advantages of SIP is the ability to place calls to and from anywhere in the world. If someone wants to block that access then they are better of just placing a filter in their router to only allow inbound from their provider. This solution is like using a sledge hammer to swat a fly.

Feel free to change my mind

[Linetux]

I'm not so sure the concept is a bad idea. I don't think recompiling stuff in the kernel is a good idea... but sometimes it can be made 'invisible'.

Anyway, the concept is solid because sometimes you don't want to put this stuff on your firewall. Other times you can't - there's a lot of consumer routers that you don't even have this option on.

Other devices would require a ton of manual labor just to get this functionality, and if something changes, may the force be with you.

So I don't think it's inappropriate to put this kind of security in PiaF. But it might take some effort to get it right.

[wardmundy]

Well, here's my $.02. We provided a simple way to protect your extensions and trunks with this new setup. And there's a method to also screen incoming calls. That's about as far as we plan to go for now. Introducing a bunch of bleeding edge products just to make this work with IPtables would undoubtedly cause more problems than it solves. When we're done, we've protected your (already protected) web server and SSH (which your root password and Fail2Ban should already be protecting).

[jroper]

I'd say that things were pretty secure as they were, but Racist routing does have some atrractions previously outlined.

In respect of the dependencies, I've found that xtables-addons version 1.12 does not need an upgraded Kernel, but still not got it working as I would like.

Joe

[wardmundy]

There are a number of folks wrestling with this independently. The more, the merrier. We'll see what we see.