On 3/9/20 7:26 PM, Erich Titl wrote: > Hi Folks > > I am trying to get geoip match running on my very reliable firewall > > Shorewall 5.2.3.3 Dump at gatekeeper - Tue Mar 10 02:07:17 UTC 2020 > > Shorewall is running > State:Started Tue Mar 10 02:06:37 UTC 2020 from /etc/shorewall/ > (/var/lib/shorewall/firewall compile > > Counters reset Tue Mar 10 02:06:37 UTC 2020 > > I can login to the firewall from the net using ssh just fine, here are > the excerpts of the rules file > > # Accept SSH connections from the local network for administration > # > #SSH(DROP) net:^CN all > SSH(ACCEPT) loc fw > SSH(ACCEPT) net fw > > Now if I uncomment the first of the tree SSH rules I am blocked. > This is the DROP line from the shorewall dump with the statement enabled- > > 33 1380 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 -m geoip --source-country CN /* SSH */ > > Obviously I am not home else all this would be pointless. My current IP > address is 92.144.119.39 and the shorewall log shows the following: > > Mar 10 00:49:55 gatekeeper Shorewall:net-fw:DROP: IN=eth0 OUT= > MAC=00:0d:b9:1c:ce:dc:00:17:10:99:a7:43:08:00 SRC=92.144.119.39 > DST=80.219.225.247 LEN=40 TOS=00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP > SPT=49158 DPT=993 SEQ=3841251305 ACK=0 WINDOW=0 RST URGP=0 MARK=0 > Mar 10 00:50:02 gatekeeper Shorewall:net-fw:DROP: IN=eth0 OUT= > MAC=00:0d:b9:1c:ce:dc:00:17:10:99:a7:43:08:00 SRC=92.144.119.39 > DST=80.219.225.247 LEN=40 TOS=00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP > SPT=49159 DPT=993 SEQ=1536968444 ACK=0 WINDOW=0 RST URGP=0 MARK=0
I assume that your geoip rule specifies logging (the rule you show above does not)? > > As would be expected by the firewall settings. > > geoip modules appear to be loaded into the kernel > > gatekeeper# lsmod | grep geoip > xt_geoip 16384 0 - Live 0xc0ab2000 (O) > x_tables 20480 25 > xt_geoip,xt_iface,xt_tcpmss,xt_nat,xt_recent,xt_comment,ipt_REJECT,xt_addrtype,xt_mark,iptable_mangle,xt_TCPMSS,xt_tcpudp,xt_CT,iptable_raw,xt_multiport,xt_NFLOG,xt_LOG,iptable_filter,xt_ipp2p,xt_state,xt_helper,xt_conntrack,xt_REDIRECT,ipt_MASQUERADE,ip_tables, > Live 0xc08dc000 > > gatekeeper# ls -lR xt_geoip > xt_geoip: > drwxr-xr-x 2 root root 40 Jun 9 2019 BE > drwxr-xr-x 2 root root 80 Mar 7 22:47 LE > > xt_geoip/BE: > > xt_geoip/LE: > -rw-r--r-- 1 root root 33664 Mar 7 22:47 CN.iv4 > -rw-r--r-- 1 root root 179848 Mar 7 22:47 US.iv4 > gatekeeper# > > I have the files for US and China in the LE folder and shorewall appears > to be happy. > > gatekeeper# shorewall show capabilities | grep GEO > Geo IP Match (GEOIP_MATCH): Available > > Now I must be missing something, but what? > Assuming that the geoip rule is producing the log messages that you show above, it appears that something is broken in your geoip setup -- either the code itself, or the CN.ipv4 database. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
