xt_geoip not blocking connections?

Question

I have xt_geoip configured to block connections from various countries, but it appears that connections are still being allowed from those countries.

From my /etc/iptables/rules.v4 (reduced a little):

# Generated by iptables-save v1.6.0 on Wed Nov  2 13:24:59 2022
*mangle
:PREROUTING ACCEPT [369071910:1067035760562]
:INPUT ACCEPT [16801255:12655837207]
:FORWARD ACCEPT [352276285:1054380415082]
:OUTPUT ACCEPT [14886281:3407372471]
:POSTROUTING ACCEPT [367165573:1057787945042]
COMMIT
# Completed on Wed Nov  2 13:24:59 2022
# Generated by iptables-save v1.6.0 on Wed Nov  2 13:24:59 2022
*filter
:INPUT ACCEPT [1135:232353]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1081:206118]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:f2b-gitlab-ssh - [0:0]
:f2b-sshd - [0:0]
-N LOG_DROP
-A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
-A LOG_DROP -j DROP
-A INPUT -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A INPUT -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A INPUT -p tcp -j f2b-gitlab-ssh
-A INPUT -p tcp -j f2b-sshd
-A FORWARD -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A FORWARD -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A FORWARD -p tcp -j f2b-gitlab-ssh
-A FORWARD -p tcp -j f2b-sshd
-A OUTPUT -m geoip --source-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
-A OUTPUT -m geoip --destination-country AS,AF,BR,CN,HK,IN,KP,KR,MX,PK,RU,SA,TW,VN  -j LOG_DROP
COMMIT

(I recently added the OUTPUT filters thinking that there was something else going on, but it changes nothing. Similarly, I don't think I should need both source- and destination-country for each of the three iptables chains, but ... when it didn't work as expected, I looked for other angles.)

On this system, I have a local non-docker ssh, and docker hosting several services (including gitlab with its own ssh). I'm using fail2ban to monitor authentication issues, and while writing this question I received a f2b message that 106.246.x.y is blocked (f2b-sshd rule). That IP is apparently from South Korea:

root@myhost:~# geoiplookup 106.246.x.y
GeoIP Country Edition: KR, Korea, Republic of

I used https://think.unblog.ch/en/geoip-firewall-configuration-on-debian-and-ubuntu as a template for setting up the geoip-based blocking. I downloaded the MaxMind GeoLite2.zip last month. I thought that both the iptables xt_geoip module and the command-line geoiplookup are using the same database, so I'm confused why it is reported as coming from a country I'm explicitly blocking.

Impetus: this server has seen on the order of 0-3 bans a day ... I'm only a few hours into today and I'm already at 78 with no recent changes to my firewall or hosting. It appears that if iptables/geoip is mis-configured, then I was lucky before and the fun is now ramping up.

score 1 · Answer 1 · answered Aug 08 '23 at 11:09

1

late answer. i think it only works with max 10 countries per rule.

answered Aug 08 '23 at 11:09

Oliver Gaida

111
3

xt_geoip not blocking connections?

1 Answers1