[SOLVED] iptables and geoid / xtables-addons problem

makeyourself · 02-17-2019, 12:30 AM

Hi, I have a strange problem with geoid in iptables at the moment. I am trying to block every other country apart from mine from accessing a web server that I'm running. Whatever I do, it will not seem to work.

Firsty here is some lsmod output that shows I have the required modules up and running:

Code:

lsmod | grep xt_geoip
xt_geoip               16384  2
x_tables               32768  9 xt_LOG,ipt_REJECT,xt_geoip,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,xt_limit,xt_conntrack

I have set up some simple iptables rules to test the situation, here they are:

Quote:

:INPUT DROP [38:4550]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [193:17968]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Now let's say I'm in the UK. The above rules, so far as I can see tell iptables to block any inbound traffic to port 80 and 443 unless it's coming from the UK. The problem is those rules block me and I am in the UK. Oddly if I change "GB" to "US" it still blocks me. Even more oddly is that if I tell it to block my country and accept the rest of the world (like below) it unblocks me and allows the rest of the world too! (I know it's allowing other countries from the apache access log).

Quote:

-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Another thing is that I know my IP address is in the Geolite2 database that xt_geoip_dl downloaded for me because I actually checked in the CSV file. The file also shows that my IP range is correctly mapped to GB. The database binary files are also correctly installed in /usr/share/xt_geoip and I can see that GB.iv4 and GB.iv6 are both in there.

I should probably also say that I built xtables_addons from source and I'm running the version 3.2. I'm running it on Raspbian on an RPi2, I had no choice but to build from source as the DKMS module in the repos would not build no matter which kernel and headers I used.

makeyourself · 02-17-2019, 09:16 PM

OK I have fixed it. It seems to have been something to do with my kernel source and/or headers which xtables-addons uses when it builds the source code. I can't be sure it was this specifically but when I originally ran "./configure" there was a warning about "Module.symvers" missing from the root of the source tree. A similar warning was also present in my logs after building xtables-addons.

To fix it I rebuilt the kernel source and the headers, reinstalled the kernel, modules, headers (to /usr/include) and source (to /usr/src/linux). I had cross compiled so without cleaning the kernel source I then did "make scripts" on the target machine. Finally I rebuilt xtables-addons.