Hello, I successfully set up Geo IP Matching according to "shorewall capabilities" on Firewall upgraded to Ubuntu Bionic 18.04 with xtables-addon.
Country Database download script and build-script is updated from https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/geoip/ to be compatible to Maxmind GeoLite2 database. Converted databases are available in /usr/share/xt_geoip/LE/*.(iv4|iv6) So i've configured something like that via shorewall rules: DROP:info net:!^[DE,CH] $FW tcp ssh ACCEPT:info net:^[DE,CH] $FW tcp ssh - - 3/min Shorewall check and restart of yourse is working, shorewall show nat-fw shows: Chain net-fw (1 references) pkts bytes target prot opt in out source destination [...] 0 0 ~log0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:22 -m geoip ! --source-country DE,CH 33 1960 ~log1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:22 limit: avg 3/min burst 5 -m geoip --source-country DE,CH But iptables happily accepts also incoming connections from CN, EE, RU and US etc. Feb 14 17:19:35 [607396.436896] Shorewall:net-fw:DROP:IN=eno2 OUT= MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=11835 DF PROTO=TCP SPT=41728 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Feb 14 17:19:37 [607398.475675] Shorewall:net-fw:DROP:IN=eno2 OUT= MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36972 DF PROTO=TCP SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Feb 14 17:19:38 [607399.473079] Shorewall:net-fw:DROP:IN=eno2 OUT= MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36973 DF PROTO=TCP SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Feb 14 17:19:40 [607401.477175] Shorewall:net-fw:DROP:IN=eno2 OUT= MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=36974 DF PROTO=TCP SPT=49156 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Feb 14 17:19:42 [607403.461517] Shorewall:net-fw:ACCEPT:IN=eno2 OUT= MAC=ac:1f:6b:6b:20:4d:d0:07:ca:0d:db:07:08:00 SRC=122.226.181.166 DST=MY.IP.IN.DE LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=47788 DF PROTO=TCP SPT=56468 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 root@firewall:~# geoiplookup 122.226.181.166 GeoIP Country Edition: CN, China Kernel: 4.15.0-45-generic #48-Ubuntu xtables-addons-dkms: Installed: 3.0-0.1ubuntu1 Any hint to get back that working ? -- *Ralf Schenk* fon +49 (0) 24 05 / 40 83 70 fax +49 (0) 24 05 / 40 83 759 mail *r...@databay.de* <mailto:r...@databay.de> *Databay AG* Jens-Otto-Krag-Straße 11 D-52146 Würselen *www.databay.de* <http://www.databay.de> Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202 Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm. Philipp Hermanns Aufsichtsratsvorsitzender: Wilhelm Dohmen ------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
