An advanced iptables/netfilter kernel module for filtering network traffic based on Autonomous System Numbers (ASN). This module enables efficient packet filtering by ASN, making it useful for geolocation-based filtering, traffic analysis, and network security applications.
- 4-byte ASN Support: Full support for modern 4-byte ASN numbers (improved from original 2-byte limitation)
- Dual Stack: Complete IPv4 and IPv6 support
- High Performance: Binary search algorithm for efficient IP range matching
- Real-time Updates: Automated BGP data processing from RouteViews.org
- Kernel Integration: Native netfilter integration with minimal overhead
- Country Detection: Determine country for IP address ranges based on ASN data
- Linux kernel 3.7+ (tested up to 5.x)
- iptables 1.4.5+
- gcc compiler
- Kernel headers for your running kernel
- autotools (autoconf, automake, libtool)
- pkg-config
- xtables development headers
- bgpdump utility
- Perl with modules:
- Net::IP
- Net::Netmask
- Text::CSV_XS
- Getopt::Long
# Install dependencies
sudo apt-get update
sudo apt-get install -y build-essential linux-headers-$(uname -r) \
iptables-dev autotools-dev autoconf automake libtool pkg-config \
bgpdump libtext-csv-xs-perl libnet-ip-perl libnet-netmask-perl
# Clone and build
git clone https://github.com/username/xt_asn.git
cd xt_asn
./autogen.sh
./configure
make
sudo make install-
Prepare build environment:
./autogen.sh ./configure --with-kbuild=/lib/modules/$(uname -r)/build -
Compile the module:
make
-
Install the module:
sudo make install sudo depmod -a
-
Load the kernel module:
sudo modprobe xt_asn
# Update ASN data configuration
sudo nano /usr/local/bin/update-asndata.sh # Set ASN_DATA_DIR
sudo nano /usr/local/bin/download-asndata.sh # Set ASN_DATA_URL
# Generate initial database
sudo /usr/local/bin/download-asndata.shiptables -m asn [!] --src-asn ASN[,ASN...] ...
iptables -m asn [!] --dst-asn ASN[,ASN...] ...Block traffic from specific ASN:
iptables -A INPUT -m asn --src-asn 15169 -j DROP
# Block incoming traffic from Google's ASNAllow traffic to multiple ASNs:
iptables -A OUTPUT -m asn --dst-asn 15169,8075,13335 -j ACCEPT
# Allow outgoing traffic to Google, Microsoft, and CloudflareCountry-based filtering with ASN:
iptables -A INPUT -m asn --src-asn 15169 -m comment --comment "Google AS" -j ACCEPT
iptables -A OUTPUT -m asn --dst-asn 15169 -m comment --comment "Google AS" -j ACCEPTComplex rules with negation:
iptables -A FORWARD -m asn ! --src-asn 12345,67890 -j LOG --log-prefix "Non-trusted ASN: "
# Log traffic NOT from trusted ASNsRate limiting by ASN:
iptables -A INPUT -m asn --src-asn 15169 -m limit --limit 100/sec -j ACCEPT
# Rate limit traffic from specific ASNThe module uses a two-stage update process for optimal performance:
-
Central Processing (
update-asndata.sh):- Downloads raw BGP data from RouteViews.org
- Processes data into CSV format
- Should run on a central server
-
Local Updates (
download-asndata.sh):- Downloads processed CSV data
- Converts to binary format for kernel module
- Runs on each server using xt_asn
# Edit configuration
sudo vi /usr/local/bin/update-asndata.sh
# Set: ASN_DATA_DIR="/var/lib/xt_asn"
sudo vi /usr/local/bin/download-asndata.sh
# Set: ASN_DATA_URL="http://your-server.com/asn.csv"
# Setup cron job for daily updates
echo "0 6 * * * /usr/local/bin/download-asndata.sh" | sudo crontab -# Update ASN database manually
sudo /usr/local/bin/download-asndata.sh
# Reload module to use new data
sudo rmmod xt_asn
sudo modprobe xt_asn# Check if module is loaded
lsmod | grep xt_asn
# Test iptables integration
iptables -m asn --help
# Verify database files
ls -la /usr/share/xt_asn/# Add test rule
iptables -A INPUT -m asn --src-asn 15169 -j LOG --log-prefix "Google ASN: "
# Check logs
tail -f /var/log/kern.log | grep "Google ASN"Module loading fails:
# Check kernel version compatibility
uname -r
dmesg | grep xt_asn
# Verify kernel headers
ls /lib/modules/$(uname -r)/buildSize mismatch error:
asn.1 match: invalid size 152 (kernel) != (user) 184
Solution:
sudo rmmod xt_asn
sudo modprobe xt_asnDatabase not found:
# Check database directory
ls -la /usr/share/xt_asn/
# Regenerate database
sudo /usr/local/bin/download-asndata.sh# Enable debug logging
echo 1 > /proc/sys/net/netfilter/nf_log_all_netns
# Check detailed logs
dmesg | grep -i asngit clone https://github.com/username/xt_asn.git
cd xt_asn
./autogen.sh
./configure --enable-debug
make clean && makemake check- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
- Lookup Speed: O(log n) binary search
- Memory Usage: ~1MB per 10,000 IP ranges
- CPU Overhead: <1% on modern systems
- Supported Load: Tested up to 1M packets/second
- Database:
/usr/share/xt_asn/ - Scripts:
/usr/local/bin/ - Config:
/etc/xt_asn/ - Logs:
/var/log/xt_asn.log
Binary files per ASN:
- BE/ (Big Endian): for big-endian systems
- LE/ (Little Endian): for little-endian systems
- *.iv4: IPv4 ranges
- *.iv6: IPv6 ranges
- Added 4-byte ASN support
- Fixed compatibility with iptables-services
- Improved error handling
- Updated documentation
- Complete rewrite for modern kernels
- IPv6 support added
- Performance optimizations
- Issues: GitHub Issues
- Documentation: Wiki
- Discussions: GitHub Discussions
This project is licensed under the GNU General Public License v2.0 - see the LICENSE file for details.
- Original authors: Samuel Jean & Nicolas Bouliane
- RouteViews.org for BGP data
- Netfilter/iptables development team
- All contributors and users
This module processes network traffic at the kernel level. Always test rules thoroughly in a safe environment before deploying to production systems. Incorrect configuration may block legitimate traffic or create security vulnerabilities.
For enterprise deployments, consider implementing proper monitoring, alerting, and rollback procedures.