GeoIP matching

From nftables wiki
Revision as of 11:48, 19 January 2020 by Jose (talk | contribs) (Create geoip matching page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

You can use a external script nft_geoip.py, at nftables-geoip, to generate mappings between countries and marks that can be later included into your ruleset.

How to get the script

Clone nftables-geoip repo

How to use the script

You can use ./nft_geoip --help to show the script help

The script need two .csv files.

  • A country data csv (location.csv), its path can be specified with --file-location option
  • A geoip data csv (dbip.csv), its path can be specified with --file-address option

location.csv

The script ships with this file. A modified .csv that contains country data needed to generate the maps.

dbip.csv

This .csv is not shipped and needed to be retrieved before using the script. There exist the option --download to do so.

Generating the geoip maps

To generate the mappings in the current directory (assuming you don't have the dbip.csv file)

 ./nft_geoip.py --file-location location.csv --download

You can specify a different (existing) output directory with --output-dir

Output files

 rwxr-xr-x 2 foobar foobar 4,0K ene  4 19:38 .
 drwxr-xr-x 5 foobar foobar 4,0K ene  4 19:38 ..
 -rw-r--r-- 1 foobar foobar  22M ene  4 19:38 dbip.csv
 -rw-r--r-- 1 foobar foobar  956 ene  4 19:38 geoip-def-africa.nft
 -rw-r--r-- 1 foobar foobar 8,3K ene  4 19:38 geoip-def-all.nft
 -rw-r--r-- 1 foobar foobar  902 ene  4 19:38 geoip-def-americas.nft
 -rw-r--r-- 1 foobar foobar   15 ene  4 19:38 geoip-def-antarctica.nft
 -rw-r--r-- 1 foobar foobar  808 ene  4 19:38 geoip-def-asia.nft
 -rw-r--r-- 1 foobar foobar  810 ene  4 19:38 geoip-def-europe.nft
 -rw-r--r-- 1 foobar foobar  461 ene  4 19:38 geoip-def-oceania.nft
 -rw-r--r-- 1 foobar foobar 8,8M ene  4 19:38 geoip-ipv4.nft
 -rw-r--r-- 1 foobar foobar  16M ene  4 19:38 geoip-ipv6.nft

When everything is finished you will find the following files in your output directory

  • geoip-def-all.nft

Containing all definitions. (eg. define $CA = 124 ) the variable name is its It also contains a map between country marks and its corresponding continent mark.

  • geoip-def-{continent}.nft

Subset of definitions for countries of a given continent. To be used as marks.

  • geoip-ipv4.nft

Containing the map between ipv4 ranges and its geoip data. @geoip4

  • geoip-ipv6.nft

Containing the map between ipv6 ranges and its geoip data. @geoip6

Marking packets with its country code

 meta mark set ip saddr map @geoip4
 meta mark set ip saddr map @geoip6

Matching packets by its country code

You can only use the country definitions inside your ruleset file and not inside an interactive nft shell

For example, to match packets marked with the Canada mark.

 meta mark $CA

See the relevant section in Matching packet metainformation

Examples

Marking input ipv4 packets and counting Spanish traffic

 table filter {
   include "./geoip-def-all.nft"
   include "./geoip-ipv4.nft"
 
   chain input {
                 type filter hook input priority filter; policy accept;
                 meta mark set ip saddr map @geoip4
                 meta mark $ES counter
               }
 }