March 16, 2019

xtables-addons-common on Ubuntu 18.04

Last year in June I set up geofence on my home server to ban all access not coming from DE. In January I noticed that things did not work anymore.

A bit of research revealed, that the company that provides the needed GeoIP tables decided to stop shipping them in format A and only offered the tables in format B. So neither the script that downloads the tables (xt_geoip_dl) nor the script that converts the tables (xt_geoip_build) into the binary format that xt_geoip can digest to block connections attempts worked anymore.

I thought that the entire xtables-addons-common package would be updated pretty soon on Ubuntu 18.04 but no. The issue is still not solved although the developers of xtables-addons-common have released a new version that can deal with the situation some time ago.

Well, I tried to download the sources of xtables-addons-common from Sourceforge and configure/make/make install them myself but it did not work for me.

Then I found a bit of a dirty solution: I manually downloaded Debian (!) debs of xtables-addons-common and xtables-addons-dkms from here and there and dpkg -i'd both packages on my server.

Fixed.

For some extra fun, I also upgraded my firewall script a bit. Now it logs all those friendly persons scanning the web from China, Russia and India to /var/log/syslog.

#!/bin/bash

IFACE="enp3s0"
IPTABLES="/sbin/iptables"

...

## Put this here or local connections also get blocked. Stupid!
$IPTABLES -A INPUT -i $IFACE -s 192.168.178.0/24 -m conntrack --ctstate  NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $IFACE -d 192.168.178.0/24 -m conntrack --ctstate ESTABLISHED -j ACCEPT

### Log Drop Chain
$IPTABLES -N LOG_DROP
$IPTABLES -A LOG_DROP -j LOG --log-prefix "GEOFENCED: " --log-level 6
$IPTABLES -A LOG_DROP -j DROP

$IPTABLES -A INPUT -i $IFACE -m conntrack --ctstate NEW -m geoip ! --src-cc DE -j LOG_DROP

...

© holger 2015 - 2020 |