On 2/14/19 8:45 AM, Ralf Schenk wrote: > Hello, > > I successfully set up Geo IP Matching according to "shorewall > capabilities" on Firewall upgraded to Ubuntu Bionic 18.04 with > xtables-addon. > > Country Database download script and build-script is updated from > https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/geoip/ > to be compatible to Maxmind GeoLite2 database. Converted databases are > available in /usr/share/xt_geoip/LE/*.(iv4|iv6) > > So i've configured something like that via shorewall rules: > > DROP:info net:!^[DE,CH] $FW tcp ssh > ACCEPT:info net:^[DE,CH] $FW tcp ssh - > - 3/min > > Shorewall check and restart of yourse is working, shorewall show nat-fw > shows: > > > Chain net-fw (1 references) > pkts bytes target prot opt in out source > destination > [...] > > 0 0 ~log0 tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 [goto] tcp dpt:22 -m geoip ! --source-country DE,CH > 33 1960 ~log1 tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 [goto] tcp dpt:22 limit: avg 3/min burst 5 -m geoip > --source-country DE,CH > > But iptables happily accepts also incoming connections from CN, EE, RU > and US etc. > > Feb 14 17:19:35 [607396.436896] Shorewall:net-fw:DROP:IN=eno2 OUT= > MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 > DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=11835 DF PROTO=TCP > SPT=41728 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 > Feb 14 17:19:37 [607398.475675] Shorewall:net-fw:DROP:IN=eno2 OUT= > MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 > DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36972 DF PROTO=TCP > SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 > Feb 14 17:19:38 [607399.473079] Shorewall:net-fw:DROP:IN=eno2 OUT= > MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 > DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36973 DF PROTO=TCP > SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 > Feb 14 17:19:40 [607401.477175] Shorewall:net-fw:DROP:IN=eno2 OUT= > MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 > DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36974 DF PROTO=TCP > SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 > Feb 14 17:19:42 [607403.461517] Shorewall:net-fw:ACCEPT:IN=eno2 OUT= > MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 > DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=47788 DF PROTO=TCP > SPT=56468 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 > > root@firewall:~# geoiplookup 122.226.181.166 > GeoIP Country Edition: CN, China > > Kernel: 4.15.0-45-generic #48-Ubuntu > > xtables-addons-dkms: > Installed: 3.0-0.1ubuntu1 > > Any hint to get back that working ? >
Please send me (privately) a full 'shorewall dump' that illustrates the problem. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
