-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/24/2017 08:22 AM, Tom Eastep wrote:
> On 02/23/2017 06:31 AM, Vieri Di Paola wrote:
>> Hi,
>
>> Regarding my previous post, geoip actually seems to be working
>> with:
>
>> DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP
>> net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all
>
>> DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all
>
>> in *most cases*... which means that some packets do arrive to the
>> underlying IPS system via NFQUEUE. The IPS also has a geo-ip
>> rule with the SAME negated set of countries. The weird thing is
>> that I see the IPS logging geoip drops when
>> Shorewall&xtables-addons should have already dropped them all.
>> Some (few) seem to slip through...
>
>
> In the IPS logs, does it indicate the destination protocol and port
> of the offending IPs?
>
Please refer to the attached file (included so that the lines don't
get folded by my mailer). This is from net1-fw, but all of the net*-*
chains are similar.
Note that multiple tcp ports, including port 80, are sent to chain
~excl110. That chain returns on source IP matches to IPS_BL and POL_BL
then sends the rest to the IPS. Note that this occurs well before the
geoip rules.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYsGDUAAoJEJbms/JCOk0QqwQQAJ2+DwkfRIqXcl1H2EP3uEJG
cTsyE4OSatkTzSyystaGkPzbAJAa5WJEy0S+BY0d816D5ye+OA3DA/4tflL0PMqM
vJWH2CrGVB/7zfOtsfMy5bW4510/11J5VTIf7e2IuJI/Q7QqAnkshg2gbldMmRp6
7vaLntzTpWm+Yweut3CGN1846iXRaT0qWuaM2Cr9mZFTTxlRBBBwDXFdaWD0f2Rx
/ThtmTXG0QmRQvmrhVerloUdOB2/jAuTHiHyxAzeVdXlzbe04BJ6sroTaHHnKXMn
EUZSeQab9j+RnBh9sy4h34gGJMh5f9gkzamflecMW6k2uKhQNPo0rGZBzN8/mEDS
Ssh9DM0WuAAMyzpV3v9m9SnrA/ovEx4WlrCBmt1g0fu/JMvV67dtfK7pzG4HPTLF
2aiVMliz/OKPrlbjlSp/ys3oKLEfUMX5nbSHjfaxLvljJbgPP4WWLufmY+PZwm+f
68zMi1ocNDzLdAea5vWqNFsQCC7aVtU01ME5lPyFUVfaHlAzRYsMaXrGP1NZwd2E
OsyBANCbkZoH4cGO+6jAQhaRwc8thFJXFaD8iUeUIqNr7Rf9mHr8FfZ4gG+aK7d3
9ZxiEsG5BtRzsOd5vLI9C8rXaX+IGmpZcWrhdplB3uGcsiZ2fKvR2neojeokSbWo
iTSsIN33WE3EEI4onwKs
=dkmf
-----END PGP SIGNATURE-----
Chain net1-fw (1 references)
pkts bytes target prot opt in out source destination
1851 186K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
1851 186K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
...
171 7076 ~excl110 tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 61196,61197,61198,21,25,80,443,3389,10444
...
310 19406 ~log126 all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] match-set POL_BL src
8 480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:62000 ctorigdstport 80 -m geoip ! --source-country
US,CA,EU,ES,PT,FR,DE,GB,IT,BE
635 106K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
-m geoip ! --source-country US,CA,EU,ES,PT,FR,DE,GB,IT,BE
0 0 ~excl145 tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 6502,7071,7070
...
Chain ~excl110 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
match-set IPS_BL src
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
match-set POL_BL src
171 7076 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0
NFQUEUE balance 0:5 bypass
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
