Join Log in
Score:0
r2evans avatar Server

xt_geoip not blocking connections?

fr flag
r2evans

I have xt_geoip configured to block connections from various countries, but it appears that connections are still being allowed from those countries.

From my /etc/iptables/rules.v4 (reduced a little):

# Generated by iptables-save v1.6.0 on Wed Nov  2 13:24:59 2022
*mangle
:PREROUTING ACCEPT [369071910:1067035760562]
:INPUT ACCEPT [16801255:12655837207]
:FORWARD ACCEPT [352276285:1054380415082]
:OUTPUT ACCEPT [14886281:3407372471]
:POSTROUTING ACCEPT [367165573:1057787945042]
COMMIT
# Completed on Wed Nov  2 13:24:59 2022
# Generated by iptables-save v1.6.0 on Wed Nov  2 13:24:59 2022
*filter
:INPUT ACCEPT [1135:232353]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1081:206118]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:f2b-gitlab-ssh - [0:0]
:f2b-sshd - [0:0]
-N LOG_DROP
-A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
-A LOG_DROP -j DROP
-A INPUT -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A INPUT -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A INPUT -p tcp -j f2b-gitlab-ssh
-A INPUT -p tcp -j f2b-sshd
-A FORWARD -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A FORWARD -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A FORWARD -p tcp -j f2b-gitlab-ssh
-A FORWARD -p tcp -j f2b-sshd
-A OUTPUT -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A OUTPUT -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
COMMIT

(I recently added the OUTPUT filters thinking that there was something else going on, but it changes nothing. Similarly, I don't think I should need both source- and destination-country for each of the three iptables chains, but ... when it didn't work as expected, I looked for other angles.)

On this system, I have a local non-docker ssh, and docker hosting several services (including gitlab with its own ssh). I'm using fail2ban to monitor authentication issues, and while writing this question I received a f2b message that 106.246.x.y is blocked (f2b-sshd rule). That IP is apparently from South Korea:

root@myhost:~# geoiplookup 106.246.x.y
GeoIP Country Edition: KR, Korea, Republic of

I used https://think.unblog.ch/en/geoip-firewall-configuration-on-debian-and-ubuntu as a template for setting up the geoip-based blocking. I downloaded the MaxMind GeoLite2.zip last month. I thought that both the iptables xt_geoip module and the command-line geoiplookup are using the same database, so I'm confused why it is reported as coming from a country I'm explicitly blocking.

Impetus: this server has seen on the order of 0-3 bans a day ... I'm only a few hours into today and I'm already at 78 with no recent changes to my firewall or hosting. It appears that if iptables/geoip is mis-configured, then I was lucky before and the fun is now ramping up.

200
1 + 0
Score:1
Oliver Gaida avatar Server
cn flag
Oliver Gaida

late answer. i think it only works with max 10 countries per rule.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.