Jose: Update github clone link

2020-08-03T10:31:33Z

Update github clone link

← Older revision		Revision as of 10:31, 3 August 2020
Line 4:		Line 4:
	== How to get the script ==		== How to get the script ==

	Clone [https://github.com/~~JMGuisadoG~~/nftables-geoip nftables-geoip repo]		Clone [https://github.com/pvxe/nftables-geoip nftables-geoip repo]

	== How to use the script ==		== How to use the script ==

Jose: Fix ip6 example

2020-01-19T13:08:48Z

Fix ip6 example

← Older revision		Revision as of 13:08, 19 January 2020
Line 69:		Line 69:
	meta mark set ip saddr map @geoip4		meta mark set ip saddr map @geoip4

	meta mark set ip saddr map @geoip6		meta mark set ip6 saddr map @geoip6

	== Matching packets by its country code ==		== Matching packets by its country code ==

Jose: Create geoip matching page

2020-01-19T10:48:36Z

Create geoip matching page

New page

You can use a external script '''nft_geoip.py''', at [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip], to generate mappings between countries and marks that can be later included into your ruleset.

== How to get the script ==

Clone [https://github.com/JMGuisadoG/nftables-geoip nftables-geoip repo]

== How to use the script ==

''You can use'' <code lang="bash"> ./nft_geoip --help </code> ''to show the script help''

The script need two .csv files.

* A country data csv (location.csv), its path can be specified with <code lang="bash"> --file-location </code> option
* A geoip data csv (dbip.csv), its path can be specified with <code lang="bash"> --file-address </code> option

=== location.csv ===

The script ships with this file. A modified .csv that contains country data needed to generate the maps.

=== dbip.csv ===

This .csv '''is not shipped''' and needed to be retrieved before using the script. There exist the option <code lang="bash"> --download </code> to do so.

== Generating the geoip maps ==

To generate the mappings in the current directory (assuming you don't have the dbip.csv file)

./nft_geoip.py --file-location location.csv --download

You can specify a different (existing) output directory with <code lang="bash"> --output-dir </code>

== Output files ==

rwxr-xr-x 2 foobar foobar 4,0K ene 4 19:38 .
drwxr-xr-x 5 foobar foobar 4,0K ene 4 19:38 ..
-rw-r--r-- 1 foobar foobar 22M ene 4 19:38 dbip.csv
-rw-r--r-- 1 foobar foobar 956 ene 4 19:38 geoip-def-africa.nft
-rw-r--r-- 1 foobar foobar 8,3K ene 4 19:38 geoip-def-all.nft
-rw-r--r-- 1 foobar foobar 902 ene 4 19:38 geoip-def-americas.nft
-rw-r--r-- 1 foobar foobar 15 ene 4 19:38 geoip-def-antarctica.nft
-rw-r--r-- 1 foobar foobar 808 ene 4 19:38 geoip-def-asia.nft
-rw-r--r-- 1 foobar foobar 810 ene 4 19:38 geoip-def-europe.nft
-rw-r--r-- 1 foobar foobar 461 ene 4 19:38 geoip-def-oceania.nft
-rw-r--r-- 1 foobar foobar 8,8M ene 4 19:38 geoip-ipv4.nft
-rw-r--r-- 1 foobar foobar 16M ene 4 19:38 geoip-ipv6.nft

When everything is finished you will find the following files in your output directory

* '''geoip-def-all.nft'''

Containing all definitions. (eg. <code lang="bash"> define $CA = 124 </code>) the variable name is its
It also contains a map between country marks and its corresponding continent mark.

* '''geoip-def-{continent}.nft'''

Subset of definitions for countries of a given continent. To be used as marks.

* '''geoip-ipv4.nft'''

Containing the map between ipv4 ranges and its geoip data. <code lang="bash">@geoip4</code>

* '''geoip-ipv6.nft'''

Containing the map between ipv6 ranges and its geoip data. <code lang="bash">@geoip6</code>

== Marking packets with its country code ==

meta mark set ip saddr map @geoip4

meta mark set ip saddr map @geoip6

== Matching packets by its country code ==

'''You can only use the country definitions inside your ruleset file and not inside an interactive nft shell'''

For example, to match packets marked with the Canada mark.

meta mark $CA

See the relevant section in [https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_packets_by_packet_mark Matching packet metainformation]

== Examples ==

=== Marking input ipv4 packets and counting Spanish traffic ===

table filter {
include "./geoip-def-all.nft"
include "./geoip-ipv4.nft"

chain input {
type filter hook input priority filter; policy accept;
meta mark set ip saddr map @geoip4
meta mark $ES counter
}
}

GeoIP matching - Revision history

Jose: Update github clone link

Jose: Fix ip6 example

Jose: Create geoip matching page