Remove location block with core 167

Hi!

With core, guess it was 159, I could use the following command in a shell script to temporarily open the firewall for dehydrated to renew some certs on IPFire.
iptables -D LOCATIONBLOCK -m geoip --source-country US -j DROP

Now this does not work anymore and I guess the following command won’t work either:
iptables -I LOCATIONBLOCK -m geoip --source-country US -j DROP

So, I need some advice on how to do the same in core 167.

Thanks,
Michael

Have a look at this thread for info. xt_geoip has been replaced by ipset.

https://community.ipfire.org/t/does-geoip-still-work-for-mangle-prerouting-rules/7955

1 Like

Is this the appropriate rule in iptables for e.g. country US:
DROP all -- anywhere anywhere match-set US src

Problem is, previously I could simply take the current rule and delete it with option -D and add the rule again with option -I

Whereas taking the above rule and using the same options does not work accordingly:

iptables -D DROP       all  --  anywhere             anywhere             match-set US src
iptables v1.8.7 (legacy): Invalid rule number `all'

So, what is the correct syntax in this case?

I am not familiar enough with iptables and ipset to be able to provide any input on your question but i found the following link about using ipset with iptables.

https://malware.expert/howto/ipset-with-iptables/

There is a section about configuring iptables to use an ipset list. Maybe this will help.

Otherwise others will need to provide some input.

1 Like

Sorry, just edited my posting above prior to your answer…

Unfortunately I don’t see any ipset list involved while creating this FW rule
DROP all -- anywhere anywhere match-set US src

If there is an ipset list involved, how can I remove a single entry like country US?

I don’t know anything about ipset either :frowning: So I tried already this command to find any occurrence about the country US:
ipset list | grep US
No chance, so far.

OK, let me re-phrase my question: how can I temporarily remove a location block for country US from a shell script and re-add it again after some processing?

Like a firewall rule.
That you enable and disable.
With your script?
I have no such skills sorry for the noise.

Yes, sure, but as initially posted, the command I’ve used previously used does not work anymore and knowing that the old location blocking was replaced by ipset, does not help me either.

I understand ipset as a helper to administer firewall rules but this requires some knowledge I currently do not have, hence my request for some support :grinning:

I am curious - can you create a Firewall Rules at
https://ipfire.localdomain:444/cgi-bin/firewall.cgi to block the US? And enable/disable with the checkbox?

If so, then print out the iptable before “enable” and print out the iptables after “disable”.

I think this will print out all of the tables needed (sorry this part I am doing from memory and cannot try now):

iptables --list-rules

Compare the two files. This differences are how I created a few scripts.

this is the firewall rule (with a different country)

and here are some differences:

-A FORWARDFW -o red0 -m set --match-set AD dst -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "FORWARDFW "
-A FORWARDFW -o red0 -m set --match-set AD dst -j DROP

and here:

-A OUTGOINGFW -o red0 -m set --match-set AD dst -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OUTGOINGFW "
-A OUTGOINGFW -o red0 -m set --match-set AD dst -j DROP

The WebGUI rules works as expect and blocks

andorratelecom[dot]ad ← a random company in the same country.

2 Likes

Jon, thanks for you reply.

I do not have any issues with firewall rules in WebIF, but rather remive some existing by a bash script.

I’m using location blocks in WebIF and I’m currently blocking all countries exept DE and AT.

However, when renewing some Let’s Encrypt certificate it is mandatory that some US IP addresses (owned by Let’s Encrypt) to have access to the webserver running on IPFire itself.

Otherwise the process for renewing cannot check if I’m the legitimate owner of thoses certs. That’s all!

Right now US is blocked and fromtime to time when renewing those certs by an cron job, this planned script must open the firewall for country US and close it afterwards.

With core 159 those lines in my initial postkng worked perfectly well and with core 167 not for obvious reason.

Hence my question here in the community…

This is the line I’ve found from command line, that obviously blocks country US from accessing the LAN:
DROP all -- anywhere anywhere match-set US src
But I could not add a line to my script that temporarily removes this FW rule in my script, using the command iptables and add it after the process finished.

Btw, this is not a manually created rule by me but the rule that the location block sets when using the WebIF.

My thought is that the geoblock “ipsets”
Is of course blocking this.
So the order the firewall handles this in the firewall chain.becomes a question? Can’t find the old processing chain image. Probably out dated.

? Remove US from Geoblock list
Add fire wall rule to block US only.
Then have script enable/disable US block rule.
Not sure if this helps.

That’s it of course, this would surely work, however, this is a manual process.

Right now or better, prior to core 167, this was an automatic process with a cron job. No need to remove anything by myself and this is the solution I’m looking for again.

here is a suggestion, instead of

iptables -D LOCATIONBLOCK -m geoip --source-country US -j DROP`

try something like

iptables -D LOCATIONBLOCK: -m set --match-set US -j DROP

This is the delete side, but the insertion side should be roughly the same,
PZ

Hi all,

sorry for my late reaction on this.

@hellfire: As stated already, all you need to do is to replace the xt_geoip part in the iptables rules of yours with the appropriate ipset directives. This commit, for example, shows how this was done for XD - the special country code we use for “hostile” networks.

Adapting from that, the iptables rule for blocking any incoming connections from the US looks like:

iptables -I LOCATIONBLOCK -m set --match-set CC_US src -j DROP

Hope to have helped.

Thanks, and best regards,
Peter Müller

1 Like

Thanks to all who participated here!

The solution was slightly different from that what @pmueller posted:
Remove the current location block for country US:
iptables -D LOCATIONBLOCK -m set --match-set US src -j DROP
and add the block again:
iptables -I LOCATIONBLOCK -m set --match-set US src -j DROP

The difference was --match-set US src instead of --match-set CC_US src.

4 Likes