Hi, I have a strange problem with geoid in iptables at the moment. I am trying to block every other country apart from mine from accessing a web server that I'm running. Whatever I do, it will not seem to work.
Firsty here is some lsmod output that shows I have the required modules up and running:
Code:
lsmod | grep xt_geoip
xt_geoip 16384 2
x_tables 32768 9 xt_LOG,ipt_REJECT,xt_geoip,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,xt_limit,xt_conntrack
I have set up some simple iptables rules to test the situation, here they are:
Quote:
:INPUT DROP [38:4550]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [193:17968]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
Now let's say I'm in the UK. The above rules, so far as I can see tell iptables to block any inbound traffic to port 80 and 443 unless it's coming from the UK. The problem is those rules block me and I am in the UK. Oddly if I change "GB" to "US" it still blocks me. Even more oddly is that if I tell it to block my country and accept the rest of the world (like below) it unblocks me and allows the rest of the world too! (I know it's allowing other countries from the apache access log).
Quote:
-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
Another thing is that I know my IP address is in the Geolite2 database that xt_geoip_dl downloaded for me because I actually checked in the CSV file. The file also shows that my IP range is correctly mapped to GB. The database binary files are also correctly installed in /usr/share/xt_geoip and I can see that GB.iv4 and GB.iv6 are both in there.
I should probably also say that I built xtables_addons from source and I'm running the version 3.2. I'm running it on Raspbian on an RPi2, I had no choice but to build from source as the DKMS module in the repos would not build no matter which kernel and headers I used.