search

friendly-bits / geoip-shell

Powerful and user-friendly geoblocker for Linux
GNU General Public License v3.0
98 stars 3 forks source link

Ubuntu - iptable #3

Closed wouam31200 closed 8 months ago

wouam31200 commented 8 months ago

Hi, Yesterday I installed it to test on a VPS under Ubuntu.

You did a great job!

This morning I wanted to check if the cron went well and I got this error:

cat /var/log/syslog | grep geoip-shell
Mar  7 04:15:01 ivozprovider CRON[346770]: (root) CMD ("/usr/bin/geoip-shell-run.sh" update -a 1>/dev/null 2>/dev/null # geoip-shell-autoupdate)
Mar  7 04:15:01 ivozprovider geoip-shell-run.sh: Error: neither nftables nor iptables found.

Thanks again for your work!!

geoip-shell status -v

Geoip blocking status report:

Geoip blocking mode: whitelist
Ip lists source: ripe
Country codes in the whitelist: FR BE IT ES ✔
IP families in firewall rules: ipv4 ipv6 ✔
Geoip rules applied to network interfaces: ens3

Protocols:
tcp: Geoip applied to all ports
udp: Geoip applied to all ports

Geoip firewall chain (ipv4): enabled ✔
Whitelist blocking rule (ipv4): ✔

Firewall rules in the GEOIP-SHELL chain (ipv4):
--------------------------------------------------------------------------------------------------------------------------------------------------------------
 pkts bytes target     prot opt in     out     source               destination
--------------------------------------------------------------------------------------------------------------------------------------------------------------
24677   58M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* geoip-shell_aux_rel-est */
 7634  246K ACCEPT     all  --  any    any     anywhere             anywhere             match-set geoip-shell_FR_ipv4 src /* geoip-shell_FR_ipv4 */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             match-set geoip-shell_BE_ipv4 src /* geoip-shell_BE_ipv4 */
    5   252 ACCEPT     all  --  any    any     anywhere             anywhere             match-set geoip-shell_IT_ipv4 src /* geoip-shell_IT_ipv4 */
    5   264 ACCEPT     all  --  any    any     anywhere             anywhere             match-set geoip-shell_ES_ipv4 src /* geoip-shell_ES_ipv4 */
23207 1141K DROP       all  --  any    any     anywhere             anywhere             /* geoip-shell_whitelist_block */

Geoip firewall chain (ipv6): enabled ✔
Whitelist blocking rule (ipv6): ✔

Firewall rules in the GEOIP-SHELL chain (ipv6):
--------------------------------------------------------------------------------------------------------------------------------------------------------------
 pkts bytes target     prot opt in     out     source               destination
--------------------------------------------------------------------------------------------------------------------------------------------------------------
    0     0 ACCEPT     all      any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* geoip-shell_aux_rel-est */
   44  2816 ACCEPT     all      any    any     anywhere             anywhere             match-set geoip-shell_FR_ipv6 src /* geoip-shell_FR_ipv6 */
    0     0 ACCEPT     all      any    any     anywhere             anywhere             match-set geoip-shell_BE_ipv6 src /* geoip-shell_BE_ipv6 */
    0     0 ACCEPT     all      any    any     anywhere             anywhere             match-set geoip-shell_IT_ipv6 src /* geoip-shell_IT_ipv6 */
    0     0 ACCEPT     all      any    any     anywhere             anywhere             match-set geoip-shell_ES_ipv6 src /* geoip-shell_ES_ipv6 */
  456 32568 DROP       all      any    any     anywhere             anywhere             /* geoip-shell_whitelist_block */

Ip ranges count in active geoip sets:
FR: ipv4 - 4490, ipv6 - 1379
BE: ipv4 - 938, ipv6 - 327
IT: ipv4 - 3468, ipv6 - 1042
ES: ipv4 - 3626, ipv6 - 959

Total number of ip ranges: 16229

Cron system service: ✔
Autoupdate cron job: ✔
Autoupdate schedule: '15 4 * * *'
Persistence cron job: ✔

No problems detected.
iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-nginx-404  all  --  anywhere             anywhere
f2b-nginx-dos  all  --  anywhere             anywhere
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
f2b-freeswitch-ip  all  --  anywhere             anywhere
f2b-sshd   all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:5080 STRING match  "VaxIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere             udp dpt:5080 STRING match  "VaxSIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "VaxIPUserAgent" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:sip STRING match  "VaxSIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere             udp dpt:5080 STRING match  "friendly-scanner" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "friendly-scanner" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:5080 STRING match  "friendly-scanner" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:sip STRING match  "friendly-scanner" ALGO name bm TO 65535
f2b-freeswitch-ip  all  --  anywhere             anywhere
f2b-sshd   all  --  anywhere             anywhere
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
sip-auth-fail  all  --  anywhere             anywhere
sip-auth-ip  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:16384:32768
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-freeswitch-ip (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-nginx-404 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-nginx-dos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (4 references)
target     prot opt source               destination

Chain sip-auth-fail (1 references)
target     prot opt source               destination

Chain sip-auth-ip (1 references)
target     prot opt source               destination
friendly-bits commented 8 months ago

Hi, thanks for reporting. New version fixing the issue will be available shortly.

friendly-bits commented 8 months ago

v0.2.7 should fix this issue (please confirm), along with a few additional bugs.

friendly-bits commented 8 months ago

BTW the command iptables -L shows you the default table which is called filter. geoip-shell uses an "earlier" table called mangle. To see the rules in iptables directly (which will also display an additional chain used to select the traffic from your network interface ens3), use the command iptables -L -t mangle. If you want to see network interfaces the rules apply to, use iptables -vL -t mangle. For ipv6 rules, use same commands, except replace iptables with ip6tables.

wouam31200 commented 8 months ago

Hi, I just removed v0.2.6 and installed v0.2.7 Everything went well, I'm waiting tonight to see if the cron is working correctly.

Thank you so much

friendly-bits commented 8 months ago

Perfect, please let me know. Also if you want to test right away, you can temporarily set the update schedule to ' ' which will run an update every minute. The command is `geoip-shell schedule -s " ". You can later change the schedule back to default with this command:geoip-shell schedule -s "15 4 *"`. Ripe updates ip lists once a day and geoip-shell will not download and apply an ip list until it's actually updated, so till the next update on the server, you should see log messages like this

geoip-shell-run.sh: Starting action 'update'.
geoip-shell-fetch.sh: Ip lists '...' are already up-to-date with the RIPE server.
geoip-shell-run.sh: Firewall reconfiguration isn't required.

Also when updating to a new version, you don't really need to manually run the uninstaller, although it's not a bad practice. The -install script automatically uninstalls an existing version (if any) before going ahead with the installation.

friendly-bits commented 8 months ago

In the meanwhile, I have verified that v0.2.7 fixes the issue on my iptables-based Debian system.

wouam31200 commented 8 months ago

Hi, Great the problem is solved on ubuntu! thanks again