[Shorewall-users] geoip problems

Mon, 09 Mar 2020 19:29:24 -0700 

Hi Folks

I am trying to get geoip match running on my very reliable firewall

Shorewall 5.2.3.3 Dump at gatekeeper - Tue Mar 10 02:07:17 UTC 2020

Shorewall is running
State:Started Tue Mar 10 02:06:37 UTC 2020 from /etc/shorewall/
(/var/lib/shorewall/firewall compile

Counters reset Tue Mar 10 02:06:37 UTC 2020

I can login to the firewall from the net using ssh just fine, here are
the excerpts of the rules file

#      Accept SSH connections from the local network for administration
#
#SSH(DROP)    net:^CN         all
SSH(ACCEPT)   loc         fw
SSH(ACCEPT)   net         fw

Now if I uncomment the first of the tree SSH rules I am blocked.
This is the DROP line from the shorewall dump with the statement enabled-

   33  1380 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22 -m geoip --source-country CN  /* SSH */

Obviously I am not home else all this would be pointless. My current IP
address is 92.144.119.39 and the shorewall log shows the following:

Mar 10 00:49:55 gatekeeper Shorewall:net-fw:DROP: IN=eth0 OUT=
MAC=00:0d:b9:1c:ce:dc:00:17:10:99:a7:43:08:00 SRC=92.144.119.39
DST=80.219.225.247 LEN=40 TOS=00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP
SPT=49158 DPT=993 SEQ=3841251305 ACK=0 WINDOW=0 RST URGP=0 MARK=0
Mar 10 00:50:02 gatekeeper Shorewall:net-fw:DROP: IN=eth0 OUT=
MAC=00:0d:b9:1c:ce:dc:00:17:10:99:a7:43:08:00 SRC=92.144.119.39
DST=80.219.225.247 LEN=40 TOS=00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP
SPT=49159 DPT=993 SEQ=1536968444 ACK=0 WINDOW=0 RST URGP=0 MARK=0

As would be expected by the firewall settings.

geoip modules appear to be loaded into the kernel

gatekeeper# lsmod | grep geoip
xt_geoip 16384 0 - Live 0xc0ab2000 (O)
x_tables 20480 25
xt_geoip,xt_iface,xt_tcpmss,xt_nat,xt_recent,xt_comment,ipt_REJECT,xt_addrtype,xt_mark,iptable_mangle,xt_TCPMSS,xt_tcpudp,xt_CT,iptable_raw,xt_multiport,xt_NFLOG,xt_LOG,iptable_filter,xt_ipp2p,xt_state,xt_helper,xt_conntrack,xt_REDIRECT,ipt_MASQUERADE,ip_tables,
Live 0xc08dc000

gatekeeper# ls -lR xt_geoip
xt_geoip:
drwxr-xr-x    2 root     root            40 Jun  9  2019 BE
drwxr-xr-x    2 root     root            80 Mar  7 22:47 LE

xt_geoip/BE:

xt_geoip/LE:
-rw-r--r--    1 root     root         33664 Mar  7 22:47 CN.iv4
-rw-r--r--    1 root     root        179848 Mar  7 22:47 US.iv4
gatekeeper#

I have the files for US and China in the LE folder and shorewall appears
to be happy.

gatekeeper# shorewall show capabilities | grep GEO
   Geo IP Match (GEOIP_MATCH): Available

Now I must be missing something, but what?

Thanks

Erich

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to