Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-17-2019, 12:30 AM   #1
LQ Newbie
Registered: Dec 2012
Posts: 20

Rep: Reputation: Disabled
iptables and geoid / xtables-addons problem

Hi, I have a strange problem with geoid in iptables at the moment. I am trying to block every other country apart from mine from accessing a web server that I'm running. Whatever I do, it will not seem to work.

Firsty here is some lsmod output that shows I have the required modules up and running:
lsmod | grep xt_geoip
xt_geoip               16384  2
x_tables               32768  9 xt_LOG,ipt_REJECT,xt_geoip,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,xt_limit,xt_conntrack
I have set up some simple iptables rules to test the situation, here they are:
:INPUT DROP [38:4550]
:OUTPUT ACCEPT [193:17968]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip ! --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Now let's say I'm in the UK. The above rules, so far as I can see tell iptables to block any inbound traffic to port 80 and 443 unless it's coming from the UK. The problem is those rules block me and I am in the UK. Oddly if I change "GB" to "US" it still blocks me. Even more oddly is that if I tell it to block my country and accept the rest of the world (like below) it unblocks me and allows the rest of the world too! (I know it's allowing other countries from the apache access log).
-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m geoip --source-country GB -m tcp --dport 443 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Another thing is that I know my IP address is in the Geolite2 database that xt_geoip_dl downloaded for me because I actually checked in the CSV file. The file also shows that my IP range is correctly mapped to GB. The database binary files are also correctly installed in /usr/share/xt_geoip and I can see that GB.iv4 and GB.iv6 are both in there.

I should probably also say that I built xtables_addons from source and I'm running the version 3.2. I'm running it on Raspbian on an RPi2, I had no choice but to build from source as the DKMS module in the repos would not build no matter which kernel and headers I used.

Last edited by makeyourself; 02-17-2019 at 09:22 PM.
Old 02-17-2019, 09:16 PM   #2
LQ Newbie
Registered: Dec 2012
Posts: 20

Original Poster
Rep: Reputation: Disabled
OK I have fixed it. It seems to have been something to do with my kernel source and/or headers which xtables-addons uses when it builds the source code. I can't be sure it was this specifically but when I originally ran "./configure" there was a warning about "Module.symvers" missing from the root of the source tree. A similar warning was also present in my logs after building xtables-addons.

To fix it I rebuilt the kernel source and the headers, reinstalled the kernel, modules, headers (to /usr/include) and source (to /usr/src/linux). I had cross compiled so without cleaning the kernel source I then did "make scripts" on the target machine. Finally I rebuilt xtables-addons.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables xtables-addons installation failure CrazyDavy Linux - Software 0 11-20-2018 11:44 PM
iptables xtables-addons installation failure CrazyDavy Linux - Security 1 11-20-2018 11:07 AM
LXer: Xtables-Addons On Centos 6 & Iptables GeoIP Filtering LXer Syndicated Linux News 0 08-19-2011 10:40 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:13 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration