Skip to content

Installation Guide

wirefalls edited this page Feb 14, 2021 · 15 revisions
Geolocation for nftables

Installation Guide - Geolocation for nftables

Installation

Depending on your file system permissions, you will likely have to execute some of the commands below with sudo or similar to avoid permission errors. You can use sudo -s in a terminal to keep from having to type sudo before every command, then type 'exit' to return to your normal user command prompt when you're finished with the installation. Always exercise caution when running with elevated privileges.

See the Notes section near the end of the User Guide for details on the variable and file naming convention used for geolocation sets.

 

Create a directory on your system for the Geolocation for nftables project files. The default location is /etc/nftables/geo-nft

  mkdir -p /etc/nftables/geo-nft

There are two ways to copy the Geolocation for nftables files to your local machine. The first is to clone the project with Git. Change directory to the /etc/nftables directory and clone the project.

  cd /etc/nftables
  git clone https://github.com/wirefalls/geo-nft.git

Git will clone the files into the geo-nft subdirectory /etc/nftables/geo-nft.

The second way to copy the files is to download the ZIP file from the main project page and uncompress the archive to: /etc/nftables/geo-nft

When you've finished copying the files it's time to set ownership. This command sets ownership of all geolocation files and sub-directories to root.

  chown -R root:root /etc/nftables/geo-nft

Next verify that the geo-nft.sh script is executable.

  ls -la /etc/nftables/geo-nft

If not then set the script to be executable.

  chmod +x /etc/nftables/geo-nft/geo-nft.sh

Manually running the script

   It's important to change directory to the geolocation base directory before running the script for the first time. This allows the present working directory to be used as the base_dir when the script creates the /etc/geo-nft.conf configuration file.

cd /etc/nftables/geo-nft

Run the geo-nft.sh script to create and populate the countrysets directory as well as creating the configuration file:

  ./geo-nft.sh

The geo-nft.sh script takes about 10 seconds to run on a system with SSD storage, and will create country specific sets in /etc/nftables/geo-nft/countrysets. On a Raspberry Pi 4, the script run time is about 80 seconds, so be patient. The script runs with a verbose output explaining each step, and can be silenced by supplying the -s command line argument.

Automatic Geolocation Database Updates

   The free db-ip.com geolocation database is usually updated on the 1st of each month, according to the FAQ. The included systemd geo-update.service and geo-update.timer files located in /etc/nftables/geo-nft/systemd directory can be used to automatically run the geo-nft.sh script at midnight on the second day of each month if desired. You can edit the file geo-update.timer as needed to run on a different day or at a different time. If your computer is turned off during the scheduled update time then systemd will run the geo-nft.sh scrip during the next system boot. Since the filename of the db-ip.com database includes the current date, your system time must be accurate to determine the correct filename to download.

To set up automatic database updates first add a soft link to the geo-nft.sh script in /usr/sbin.

ln -sf /etc/nftables/geo-nft/geo-nft.sh /usr/sbin/geo-nft

Next, add soft links to the systemd timer and service files.

ln -sf /etc/nftables/geo-nft/systemd/geo-update.timer /etc/systemd/system/geo-update.timer
ln -sf /etc/nftables/geo-nft/systemd/geo-update.service /etc/systemd/system/geo-update.service

Then enable the timer to run at boot time, and start it. This will automatically create a soft link to the timer file in the appropriate system directory.

systemctl enable --now geo-update.timer

List the systemd timers on your system to verify the geo-update.timer is loaded.

systemctl -t timer

You can list the timer's previous and next run times with this command:

systemctl list-timers --all

The next run time for the timer may not be exactly at midnight since the geo-update.timer file has a random 0-300 second delay to allow time for other programs to run that are also scheduled at midnight.

You can get additional information about the geo-update.timer with:

systemctl show geo-update.timer

Network Wait Service

   As mentioned, if your system is turned off when the geolocation database is due to be automatically updated then systemd will run the geo-nft.sh script during the next system startup. To do this successfully, systemd needs to wait until the network is up and running before it runs the geo-nft.sh script to download the new database. This requires the correct network wait service to be enabled. You can check to see if either of the two common wait services are enabled (usually only one should be) with:

systemctl is-enabled systemd-networkd-wait-online.service NetworkManager-wait-online.service

If one of the two network services (or both) are enabled, then you don't need to change the wait service settings. If both are disabled (or one of the service files doesn't exist), then the correct wait service needs to be enabled.

If systemd-networkd is used to configure your network, start and enable the wait service:

systemctl enable --now systemd-networkd-wait-online.service

If NetworkManager is used to configure your network, start and enable the wait service:

systemctl enable --now NetworkManager-wait-online.service

See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ for additional information. One thing to consider here is that enabling the network wait service can extend boot times if your network is unavailable. The default network timeout is typically set to 120 seconds.

Time Sync Wait Service

   The final installation step is to enable the service that delays the start of geo-update.service on boot until the system time has been synchronized with an accurate time source by systemd-timesyncd.service.

systemctl enable --now systemd-time-wait-sync.service

At this point the basic installation is complete and you can refer to the User Guide for setting up your ruleset.

SELinux

    If you're running SELinux then you'll need to generate a local policy module to give permissions to the /etc/nftables/geo-nft/geo-nft.sh script so that it can create and write to necessary files for operation. Instructions for doing this are beyond the scope of this document, but you should be able to find that information online.

Updating Geolocation for nftables Source Code

   When new versions of Geolocation for nftables are released you can update your installation automatically with Git. This is the easiest way to update the geo-ntf.sh script without overwriting any customized configuration files or scripts that you may have. First, back up your current /etc/nftables/geo-nft directory.

cp -r /etc/nftables/geo-nft /etc/nftables/geo-nft.bak

Change directory to the /etc/nftables/geo-nft directory.

cd /etc/nftables/geo-nft

Fetch the latest files without overwriting or updating any of your local files.

git fetch origin

Check the status of your local files.

git status

If "git status" shows that your branch is behind 'origin/main' by x number of commits, then you can update your local files to the latest version with:

git pull

Your local files should now be updated. You can run the geo-nft.sh script to verify the new Geolocation for nftables version number.

sudo geo-nft

 

Geolocation for nftables documentation is licensed under the GNU GPLv2 (or at your option, any later version).

Clone this wiki locally