1

I try to add this rule:

iptables -A INPUT -m geoip ! --src-cc CZ,SK -j DROP

I set GeoIP support according to this answer: Ubuntu IPTables allow only allow 1 country | Super User

But it doesn't work, because I get message: iptables: No chain/target/match by that name.

I use Debian 9.

Update:

After result after running uname -a

Linux Andromeda 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux

How can I fix it?

tomsk
  • 257
  • 4
  • 18

1 Answers1

2

The linked Q/A is incomplete. In addition to userland tools, you need the kernel side equivalent: you'll have to install the package xtables-addons-dkms. Note that xtables-addons-common recommends xtables-addons-dkms, so installing the former should have either installed the later, or mentioned the recommendation. Not doing it severely limits the usefulness of xtables-addons-common.

Beware, it will pull a whole compilation suite needed by dkms. Make sure you get the linux-headers-4.9.0-4-amd64 package because it's not the latest available and might not be pulled automatically.

If that's understandably not acceptable for production systems, it will have to be installed on a development system and this will have to be run manually. The exact command might depend on the target kernel's version:

dkms mkbmdeb xtables-addons/2.12 -k 4.9.0-4-amd64

The newly built package found with:

find /var/lib/dkms/ -name 'xtables-addons*deb'

can then be installed on the production server (along with the xtables-addons-common package).

To state it again: dkms mkbmdeb ... is needed only for a "two stages" installation. If xtables-addons-dkms is installed directly on the server using the iptables rules, it doesn't have to be done: the installation took care of it already.

A.B
  • 9,037
  • 2
  • 19
  • 37
  • Why should I build it? I already installed package "xtables-addons-common" via "apt install xtables-addons-common", do you mean this package https://debian.pkgs.org/9/debian-main-i386/xtables-addons-source_2.12-0.1_all.deb.html ? – tomsk Apr 15 '18 at 17:04
  • Can you edit the question and add your kernel version and architecture (eg: `uname -a`) I'll update my answer in case it's not amd64 – A.B Apr 15 '18 at 17:48
  • Updated, so it is required to run "dkms mkbmdeb xtables-addons/2.12 -k 4.9.0-6-amd64"? Because I didn't find this in any geoip tutorials. – tomsk Apr 15 '18 at 17:53
  • That's why I added the debian tag: it's a Debian problem more than any geoip tutorial. mkbmdeb is needed only if you don't install *directly* xtables-addons-dkms to the target server. It's not needed (and might even clash) if you install it (with gcc etc.) on the server having the iptables rules – A.B Apr 15 '18 at 17:58
  • I understand that I have to make "two stage" installation because of Debian now.. And how can be "xtables-addons-dkms" installed directly on the server using the iptables rules? Sorry for dumb question. – tomsk Apr 15 '18 at 18:06
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/76068/discussion-between-a-b-and-tomsk). – A.B Apr 15 '18 at 18:11