It gets even funnier if use an IPv6 broker like HE. My IPv4 address is in the Netherlands, my IPv6 address is in the USThe hard part is getting a reliable list of the netblocks, and keeping them up to date. Geo-location of IP is not something which is easy to do with certainty, and something which was never intended to be easy to do in terms of the design of IP. It is not at all unusual for you to find things like a netblock which is registered to an organisation with a German contact address (which is where the administrators happen to sit), but actually used by a different part of the same organisation in the UK (and connected to transit ISPs in the UK), for example. Additionally, many geo-location services seem to get the location of my personal netblock quite wrong (to a completely unrelated place in a different country), despite it having accurate whois information. On top of that, the mapping between IP addresses and physical location is in a constant state of flux, either due to dynamic addressing or just the routine churn of customers within an ISP.
ipfw add 80 divert 8669 tcp from any to me dst-port 80,443 in recv xn0 setup
IPv4 Geo-Location database tools and ipfw divert filter daemon for FreeBSD
This project provides all the tools for IPv4 Geo-blocking at the firewall level with ipfw on FreeBSD.
1. Download the ipdb project directory from GitHub, and cd into the directory
$ cd ~/install/ipdb
2. run make
3. as user root, install the tools and the ipfw divert filter daemon:
$ sudo make install clean
or # make install clean
the following tools and files will be created and/or installed into /usr/local/bin or /usr/local/etc/rc.d
- ipdb-update.sh # a shell script file for updateing the geoip database by
# downloading the latest delegation statistics files of the 5 RIR's.
- ipdb # a tool for consoliting the IPv4 ranges from statistics file into
# a sorted binary file suitable for direct reading it into a
# completely balanced binary search tree be the lookup tool and
# and the ipfw divert filter daemon.
- geoip # a tool for manually looking up an IPv4 address on the command line.
- geod # the ipfw divert filter daemon.
- geod.rc # the rc script of geod, will be copied to /usr/local/etc/rc.d/geod
4. First download the delegation statistic files of the 5 Regional Internet Registries (RIR's), i.e.:
AFRINIC, APNIC, ARIN, LACNIC, RIPENCC. In theory all the RIR's should mirror the files of each other,
in practice only the mirrors of the Asia Pacific, the Latin America and the European RIR's are useful.
Choose one of the three useful mirror sites, depending on where you are located:
- ftp.apnic.net # Asia Pacific
- ftp.lacnic.net # Latin America
- ftp.ripencc.net # Europe and Eurasia
Start the ipdb-update.sh shell script as user root, passing (n)one of the above mirror ftp domains
as the commandline parameter. RIPENCC is the default mirror, and that doamin may be omitted.
# ipdb-update.sh ftp.apnic.net
This will download teh statistic files together with the MD5 verification hashes into:
/usr/local/etc/ipdb/IPRanges/. Said directory will becreated if it does not exit. If the
downloads went smooth, the script will start the ipdb tool in order to generate right in
the same go the binary file with the consolidated IPv4 ranges.
Later, you may want to put above command into a weekly cron job.
5. Check whether the database is ready by looking up some IPv4 addresses using the geoip tool.
$ geoip 22.214.171.124
126.96.36.199 in 188.8.131.52-184.108.40.206 in ES
$ geoip 220.127.116.11
18.104.22.168 in 22.214.171.124-126.96.36.199 in DE
$ geoip 188.8.131.52
184.108.40.206 in 220.127.116.11-18.104.22.168 in US
$ geoip 192.168.1.1
192.168.1.1 not found
6. If not already done, activate ipfw.
7. In addtion to the ipfw modules, the ipdivert kernel module needs to be loaded.
WARNING: Do this only after ipfw is setup and running, otherwise it may happen
that you inadvertently lock out yourself by the following commands.
# echo 'ipdivert_load="YES"' >> /boot/loader.conf
# kldload ipdivert.ko
8. Add the lines for starting the geo-blocking ipfw divert filter daemon to /etc/rc.conf
# echo 'geod_load="YES"'
Configuration examples (use either the -a or the -d flag into one geod_flags line in /etc/rc.conf):
- Allow all diverted packets from Germany, Brazil and the US, and deny everything else:
# echo 'geod_flags="-a DE:BR:US"'
- Deny all diverted packets from North Korea, Turkey and Great Britain, and allow everything else:
# echo 'geod_flags="-d KO:TR:GB"'
- You may add any number of capital letter ISO country codes separated by colons.
# service geod start
9. Add the geod divert rule to your ipfw rule set:
TCP only filter
ipfw add 70 divert 8669 tcp from any to any 80,443 in recv WAN_if setup
TCP and UDP filter
ipfw add 70 divert 8669 ip4 from any to any 53,80,443,500,587,4500 in recv WAN_if