* xtables-addons GEOIP not matching chain
@ 2019-10-14 20:32 Marco Sommella
0 siblings, 0 replies; only message in thread
From: Marco Sommella @ 2019-10-14 20:32 UTC (permalink / raw)
To: netfilter-devel
Hi all,
My name is Marco, I'm writing here because at this page:
https://sourceforge.net/projects/xtables-addons/support is said that
is the best place to get help, I have a strange issue with
xtables-addons, in particular with xt_geoip module, please correct me
if I'm in the wrong place.
I'm using Ubuntu 18.04.3 LTS x64 4.15.0-1051 with all the packages updated,
I installed the following packages: xtables-addons-common pkg-config
xtables-addons-source libnet-cidr-lite-perl libtext-csv-xs-perl
And compiled xtables-addons-3.5 (Latest version).
The process for generating GeoIP database with xt_geoip_dl and
xt_geoip_build works and I can see the module xt_geoip loaded in the
kernel (lsmod) and geoip loaded in iptables (cat
/proc/net/ip_tables_matches).
My iptables configuration is simple: it's meant to LOG and DROP all
the connection attempts from country that are not whitelisted, into
specific:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3607180:3023592144]
:GEOIP - [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 10.0.0.0/8 -j ACCEPT
-A INPUT -d 172.16.0.0/12 -j ACCEPT
-A INPUT -d 192.168.0.0/16 -j ACCEPT
-A INPUT -i eth0 -m geoip ! --source-country IT,IE,GB -j GEOIP
-A OUTPUT -o lo -j ACCEPT
-A GEOIP -m limit --limit 2/min -j LOG --log-prefix "GEOIP-Dropped: "
-A GEOIP -j DROP
COMMIT
The problem is that the chain GEOIP never get a hit, in fact the
packet count is zero:
# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4884K 3949M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
30094 2417K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
10.0.0.0/8
41 23221 ACCEPT all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 ACCEPT all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 GEOIP all -- eth0 * 0.0.0.0/0
0.0.0.0/0 -m geoip ! --source-country IT,IE,GB
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 3609K packets, 3025M bytes)
pkts bytes target prot opt in out source
destination
517K 810M ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
Chain GEOIP (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4
prefix "GEOIP-Dropped: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
If I try to connect from an IP in another country the connection is not dropped.
Before the latest kernel upgrade I was running version 4.15.0-1043 and
the xtables-addons version compiled was 3.3 and all the GEOIP process
was working smoothly.
The only strange thing is that I saw the following is in /var/log/kern.log:
xt_geoip: loading out-of-tree module taints kernel.
xt_geoip: module verification failed: signature and/or required key
missing - tainting kernel
As the kernel module is loaded, this seems to be only a warning.
Can someone please help me with this?
Thanks a lot
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-10-14 20:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-14 20:32 xtables-addons GEOIP not matching chain Marco Sommella
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.