little help just to be sure

[budgierless]

hi im using ubuntu 12.04, please output example paths etc. you used for setup and state your OS. $CFGFILE - This is where the configuration file lives

$ZONEDIR - This is where the files that define IP assignments live. It should be a dedicated directory, must exist and must be writable by the cron job. $LOG - The syslog file containing iptables log entries. Wildcard if logrotation occurs.

$LOGPFX - The prefix to be written by IPtables when logging a rejection. $LOGPGM - The program to be credited with writing the log entry

thanks

[tlhackque]

BlockCountries should work without modifications on most systems.

The defaults are what I use on Fedora and Debian. I don't use Ubuntu, though as Ubuntu is based on Debian I don't expect any unique issues.

You probably don't need to change the defaults, though you might prefer to move $ZONEDIR to someplace like /var/BlockCountries. The specified directory (and any missing parents) will be created if necessary. The default is /root/blockips because /root exists on (virtually) all distributions, while the conventions for placement of application-specific data vary wildly.

If you run something like SELINUX, you'll have to ensure that BlockCountries either runs unrestricted, or has all the permissions needed to read and write its files & to run iptables.

$CFGFILE - some distributions use a different directory (e.g. /etc/defaults rather than /etc/sysconfig). You can create /etc/sysconfig on those systems or adopt the local convention. A matter of taste.

$LOG - you may need to change this if you've configured syslog to write netfilter (iptables) entries to a non-default logfile. It should be a wildcard that includes any rotated/archived log files.

$LOGPFX - No technical reason to change.

$LOGPGM - No reason to change -- netfilter/IPTABLES are part of the kernel.

If you encounter some unique aspect of running BlockCountries on Ubuntu, please report the details and I'll consider adding them to the documentation.

[budgierless]

thanks, im not to great on backend bits just yet thats why I asked the question for syntax reasons, such as if qoutes or commers needed etc?

Also other question, i dont see much info on your page about IPset, is that config to be left as default too after i install that?

[tlhackque]

I recommend not changing the defaults unless you have a good reason.

The syntax is standard Perl - don't change the quotes from what exists and you'll be OK.

IPset is not used by BlockCountries, which is why there is no reference to it.

[budgierless]

ok, so your saying the blocked ip's from your script are iptables saved in system memory and not file system?

[tlhackque]

I didn't say anything about the filter's implementation.

All netfilter rules - and that includes the ipset module's rules - are stored in kernel memory when active. iptables is the usual user interface to netfilter that loads the rules. ipset is a mechanism for defining sets of addresses; iptables rules can target those sets.

Internally, ipset uses a hash table or bitmap structure to represent sets of addresses to match. BlockCountries uses another approach. BlockCountries could, in theory, use ipset but doesn't. There are trade-offs with either approach.

The data that maps IP addresses to country is maintained on disk in raw and processed formats. BlockCountries takes care of fetching/updating the data, converting it to efficient iptables rules, and loading the rules into the kernel.

All this is internal to BlockCountries and subject to change. It really shouldn't matter to an administrator.

[budgierless]

helpful to know cheers,

as for the install, your notes say: Copy BlockCountries to /etc/init.d. do you mean the file itself or the folder?

[tlhackque]

There is no 'folder', this is Unix.

The executable BlockCountries, which is in the tar (or zip) file that you downloaded.

I'll update the documentation to clarify this.

[budgierless]

ok,

in the BlockCountries file on line 67: my @DEFAULT_ISO = qw /cn kr kp kz ru/; this is where i add my own country yes? Im in the UK so my output should be: my @DEFAULT_ISO = GB; is that right or is it the other way round and that is the line to add blocked countries?

[tlhackque]

No. No. Please read the documentation.

As it say right above that line in the source:

# List of country codes -specify yours in the config file

Whether the countries are blocked or permitted depends on the -permitonly switch. The default is to block.

The sample configuration file may help clarify how to set yours up.

[tlhackque]

Oops, that's interesting. The sample configuration file isn't in git! Sorry about that.

I'll fix that too.

[budgierless]

ok so after i make /etc/sysconfig/BlockCountries file, where is says: This lists both ISO code and name for documentation (and as insurance against changes in the name) However, either would do. lt Lithuania md "Moldova, Republic of" DO I CHANGE IT TO: This lists both ISO code and name for documentation (and as insurance against changes in the name) However, either would do. gb "United Kingdom" ??

[tlhackque]

Your choice. As the comment says, any of these are equivalent:

• gb
• "United Kingdom"
• gb "United Kingdom"

I tend to use the third option because some of the country codes are obscure.

BlockCountries list provides the list of known country names.

[budgierless]

thanks, so i now know that is where i put my own country, so now going back to that other file in the BlockCountries file on line 67: my @DEFAULT_ISO = qw /cn kr kp kz ru/; this that where i add the counties i wish to block?

[tlhackque]

No. You probably don't want to block your own country. You probably also don't want to permit only your own country. You only want to block countries that you don't do business with, and that are causing you problems.

Unless you have an unusual setup, the only file that you need to modify is /etc/sysconfig/BlockCountries.

The example in the README blocks lt and md.

The default is only used if your config file (and command line) doesn't specify any countries.

[budgierless]

sorry if im confusing you, no i dont want to block my own country at all, I'm just trying to confirm with you where i need to add the countries i do wish to block? your wiki talks of two files with the same name called BlockCountries,

1. is the file i download from github
2. is the file i create myself and have to add the config information into.

the two things im trying to add is, 1. the counties i wish to block and 2. my own country to the safe list.

where do i add this, which one for each of the two peaces of info i am try to add? my confusion is with the difference between: (( /etc/sysconfig/BlockCountries )) # This lists both ISO code and name for documentation (and as insurance against changes in the name) However, either would do. lt Lithuania md "Moldova, Republic of

AND /init.d/BlockCountries file on line 67: my @DEFAULT_ISO = qw /cn kr kp kz ru

[tlhackque]

You're making things too complicated.

You either specify the countries to block, or the ones to permit. Not both.

If you are specifying countries to block (the default), only the countries that you specify are blocked.

If you are specifying countries to permit (with -permitonly), all countries EXCEPT those you specify are blocked.

There is a 'safe list' for IP addresses - see -aips. This is used to allow access for a host in a blocked country. Your private IP addresses (e.g. 192.168., 10., etc) are always allowed.

The next release will simplify the configuration.

[budgierless]

oh i see, well in that case i don't no worries about safe list for now then, as i just want to block counties, so my question partly still remains, what file do i add the counties i want to block: /etc/sysconfig/BlockCountries or /init.d/BlockCountries ??

[tlhackque]

See my previous reply (.-4):

the only file that you need to modify is /etc/sysconfig/BlockCountries

[budgierless]

thankyou very much, my last issue now, is that then i input BlockCountries list in the terminal, no list is displayed??

[tlhackque]

Did you run bcinstall? Are the other Perl modules installed?

You should see something like this. Anything else, you need to post what you see. I can't see what's on your screen.

# /etc/init.d/BlockCountries list
Recognized country codes:
 ad - Andorra
 ae - United Arab Emirates
 af - Afghanistan
...
 za - South Africa
 zm - Zambia
 zw - Zimbabwe

[budgierless]

yes i did and regexp was missing but i installed it afew hours ago and all perl parts are installed, thanks for list output.

[tlhackque]

In that case, what do you see when you type /etc/init.d/BlockCountries list?

If that command doesn't work, something is seriously broken or misconfigured.

[budgierless]

/BlockCountries# /etc/init.d/BlockCountries list "addrinfo" is not defined in %Socket::EXPORT_TAGS at /etc/init.d/BlockCountries line 120 main::BEGIN() called at /etc/init.d/BlockCountries line 120 eval {...} called at /etc/init.d/BlockCountries line 120 Can't continue after import errors at /etc/init.d/BlockCountries line 120 BEGIN failed--compilation aborted at /etc/init.d/BlockCountries line 120.

[tlhackque]

This has been seen before. You have an old version of Socket:: 'addrinfo' is a tag added in Socket 1.96. The current version is 2.021.

The DEPENDENCIES section of the README says: Socket 2.006

You need to update Socket from cpan.

bcinstall probably should check minimum versions of its dependencies, but doesn't.

[budgierless]

how do i do that without breaking perl, all are installed via ubuntu repo?, is their no way for me to mod it to my version 12.04??

[tlhackque]

Socket is part of base Perl. You have an old version.

The latest Socket should be in Ubuntu.

For Debian, the package name would be something like libsocket-perl, so sudo apt-get install libsocket-perl should work. Or sudo dh-make-perl -install -cpan Socket Or sudo cpan Socket

See https://wiki.koha-community.org/wiki/How_to_install_missing_Perl_modules_on_Debian or http://stackoverflow.com/questions/65865/whats-the-easiest-way-to-install-a-missing-perl-module for the full story.

I have installed the current version of Socket on Perl as old as 5.8.8. Upgrading Socket won't break your Perl.

[budgierless]

thanks alot for that info, here is new output: /BlockCountries# /etc/init.d/BlockCountries list Invalid tcp port -atport

[tlhackque]

Just what it says. The config file contains a line where you are trying to use -atport as a TCP port name.

Which probably means that you have something like -atport -atport where you meant -atport smtp -atport http.

Check the config file carefully. You can comment out lines until you find the offending one.

If you are unable to find the problem, post the entire config file.

Note that every command reads the entire config file.

[budgierless]

I used the config code that you posted on your wiki page, only difference id the blocked counties i added. Sorry i don't know much about IPtables, but i have an output that may give idea, as i don't want any conflicts. please advise what to replace -atport with if any.

`/BlockCountries# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-pure-ftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data fail2ban-apache tcp -- anywhere anywhere multiport dports http,https fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain fail2ban-apache (1 references) target prot opt source destination RETURN all -- anywhere anywhere

Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere

Chain fail2ban-pure-ftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere

Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere

Chain fail2ban-ssh-ddos (1 references) target prot opt source destination RETURN all -- anywhere anywhere`

[tlhackque]

That is not helpful. All it shows is that you have not successfully started BlockCountries.

Please post the /etc/sysconfig/BlockCountries file as requested. The error from list indicates that you made a mistake editing it.

[budgierless]

# Configuration for BlockCountries service

# Countries
#
# The list of contry codes and names can be obtained from BlockCountries with:
#
#     BlockCountries list
#
# This lists both ISO code and name for documentation (and as insurance against changes in the name)
# However, either would do.
cn "China"
tr "Turkey"

# Allow inbound mail, which requires DNS
#

-atport -atport smtp -atport submission -atport smtps -atport domain
-auport domain

# Filter both IPV4 and IPV6

-ipv4 -ipv6

# Enable logging

-log

# Path to iptables command

-path /usr/local/sbin

[budgierless]

dose that help?? /BlockCountries# which iptables /sbin/iptables

[tlhackque]

And exactly the error that I told you to look for is present:

# Allow inbound mail, which requires DNS
#
-atport -atport smtp -atport submission -atport smtps -atport domain

See the -atport -atport? Remove the first one. The line probably should read

-atport smtp -atport submission -atport smtps -atport domain

And make sure that you understand what you're doing.

Also, note that -path is wrong for your system.

which path indicates that it should be -path /sbin

[budgierless]

thanks, changes made, now new issue after output:

/BlockCountries# /etc/init.d/BlockCountries list Can't open index: No such file or directory

[tlhackque]

That's a misleading message, which I'll fix.

Run BlockCountries start -update

List doesn't know what country codes are available until it has contacted the RIR servers.

Once you have done one update, it knows what countries each registry supports and can process the list command.

[budgierless]

/BlockCountries# BlockCountries start -update BlockCountries: command not found

[tlhackque]

Really, please think before you write. I do have another job.

/etc/init.d/BlockCountries start -update

[budgierless]

THANKS, all working now, even the list, thanks for taking the time to help get this up and running.

you can remove this tread or set as solved.

[tlhackque]

Much of the user confusion related here is addressed in V2.9