Centos6下iptables配置Xtables-Addons和GeoIP屏蔽某个国家ip

今天服务器上流量猛增，ip都来自于中国，而且是非正常访问的ip，导致php-fpm耗CPU 100%，网站打开非常慢，本来已经使用iptables限制连接数，但由于同一ip的连接数达不到，所以没办法进行限制，只能采用屏蔽某个地区ip的方法了， Xtables-Addons就是这样的模块，只需要编译此模块，而不必编译系统内核，就可以和iptables一起工作，达到过滤某个地区的ip。

第一步，检查系统iptables版本，Xtables-Addons要与iptables版本一致，例如iptables是1.4.7，就需要对应在的Xtables-Addons 1.47

# uname -r
2.6.32-358.18.1.el6.x86_64
# iptables -V
iptables v1.4.7

那么就要下载Xtables-Addons 1.47了。

另外需要关闭selinux，编辑/etc/selinux/config，修改为disabled，并使其生效：echo 0 > /selinux/enforce。

第二步，安装perl-Text-CSV_XS依赖包

# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# yum -y install perl-Text-CSV_XS

第三步，下载和编译xtables-addons模块

# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.tar.xz/download
# tar xf xtables-addons-1.47.tar.xz
# cd xtables-addons-1.47
# ./configure
# make
# make install

假如在./configure时遇到错误， configure: error: Package requirements (xtables >= 1.4.5) were not met: No package 'xtables' found：

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1966080
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking linux/netfilter/x_tables.h usability... yes
checking linux/netfilter/x_tables.h presence... yes
checking for linux/netfilter/x_tables.h... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libxtables... no
configure: error: Package requirements (xtables >= 1.4.5) were not met:
 
No package 'xtables' found
 
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
 
Alternatively, you may set the environment variables libxtables_CFLAGS
and libxtables_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

请安装iptables开发包iptables-devel：

# yum -y install iptables-devel

第四步，下载和安装GeoIP模块，你可以到 http://geolite.maxmind.com/download/geoip/database/下载CSV版本，也可以使用xtables-addons目录下geoip目录下的脚本xt_geoip_dl来下载：

# cd geoip/
# ./xt_geoip_dl

将会下载GeoIPv6.csv.gz和GeoIPCountryCSV.zip，并解压缩，得到ip库文件GeoIPv6.csv和GeoIPCountryWhois.csv，接下来就是使用xt_geoip_build编译数据库：

# mkdir -p /usr/share/xt_geoip/                    #创建数据库文件默认存放位置
# ./xt_geoip_build -D /usr/share/xt_geoip *.csv    #编译数据库文件 

完成后，将会生成两个目录BE和LE，目录下保存的文件分别有.iv6和.iv4。

第五步，添加过滤规则，屏蔽中国地区ip：

# iptables -I INPUT -m geoip --src-cc CN -j DROP   ＃注意，这将屏蔽所有端口访问
# iptables -I INPUT -p tcp -m tcp --dport 80 -m geoip --src-cc CN -j DROP    #只屏蔽80端口访问

此时，中国地区已经无法访问网站了，可以保存了：service iptables save