Hi all, My name is Marco, I'm writing here because at this page: https://sourceforge.net/projects/xtables-addons/support is said that is the best place to get help, I have a strange issue with xtables-addons, in particular with xt_geoip module, please correct me if I'm in the wrong place. I'm using Ubuntu 18.04.3 LTS x64 4.15.0-1051 with all the packages updated, I installed the following packages: xtables-addons-common pkg-config xtables-addons-source libnet-cidr-lite-perl libtext-csv-xs-perl And compiled xtables-addons-3.5 (Latest version). The process for generating GeoIP database with xt_geoip_dl and xt_geoip_build works and I can see the module xt_geoip loaded in the kernel (lsmod) and geoip loaded in iptables (cat /proc/net/ip_tables_matches). My iptables configuration is simple: it's meant to LOG and DROP all the connection attempts from country that are not whitelisted, into specific: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3607180:3023592144] :GEOIP - [0:0] -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -d 10.0.0.0/8 -j ACCEPT -A INPUT -d 172.16.0.0/12 -j ACCEPT -A INPUT -d 192.168.0.0/16 -j ACCEPT -A INPUT -i eth0 -m geoip ! --source-country IT,IE,GB -j GEOIP -A OUTPUT -o lo -j ACCEPT -A GEOIP -m limit --limit 2/min -j LOG --log-prefix "GEOIP-Dropped: " -A GEOIP -j DROP COMMIT The problem is that the chain GEOIP never get a hit, in fact the packet count is zero: # iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4884K 3949M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 30094 2417K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/8 41 23221 ACCEPT all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 GEOIP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 -m geoip ! --source-country IT,IE,GB Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3609K packets, 3025M bytes) pkts bytes target prot opt in out source destination 517K 810M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 Chain GEOIP (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4 prefix "GEOIP-Dropped: " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 If I try to connect from an IP in another country the connection is not dropped. Before the latest kernel upgrade I was running version 4.15.0-1043 and the xtables-addons version compiled was 3.3 and all the GEOIP process was working smoothly. The only strange thing is that I saw the following is in /var/log/kern.log: xt_geoip: loading out-of-tree module taints kernel. xt_geoip: module verification failed: signature and/or required key missing - tainting kernel As the kernel module is loaded, this seems to be only a warning. Can someone please help me with this? Thanks a lot
