Bug#777150: ufw: Hi, adde a custom rule with geoip iptables modules wont load from ufw.

Sat, 21 Feb 2015 13:13:34 -0800 

Hai, 

Thanks, yes, wat you suggested Works..  

But is there any way i can put this in the ufw-before-logging-input and not
in the ufw-before-input. 
Because now i have double messages of these blocks, which seems not needed..


And thank you for having looking in to this.. 
Should i report this to the maintainer of iptables-restore? 

Beste regards, 

Louis



-----Oorspronkelijk bericht-----
Van: Jamie Strandboge [mailto:ja...@canonical.com] 
Verzonden: vrijdag 20 februari 2015 22:21
Aan: Louis van Belle; 777...@bugs.debian.org
Onderwerp: Re: Bug#777150: ufw: Hi, adde a custom rule with geoip iptables
modules wont load from ufw.

Thank you for the detailed report. The problem seems to be with
iptables-restore and not ufw itself. Specifically, iptables-restore doesn't
like the single quotes in '[UFW COUNTRY BLOCK] '. Therefore, add this
instead to before.rules:

-A ufw-before-input -m geoip --src-cc KR,CN,IN,RU,TR,VN,UA,BR,VE,JP -m limit
--limit 3/minute -j LOG --log-level 4 --log-prefix "[UFW COUNTRY BLOCK] "
-A ufw-before-input -m geoip --src-cc KR,CN,IN,RU,TR,VN,UA,BR,VE,JP -j DROP

I'm not sure why iptables-restore is so particular here, but the various
*.rules files are fed into iptables-restore directly without modification.

After doing that I can 'ufw disable' and 'ufw enable' and it all works fine.
After reboot I have:

$ sudo iptables -t filter -nL ufw-before-input Chain ufw-before-input (1
references)
target     prot opt source               destination         
...
LOG        all  --  0.0.0.0/0            0.0.0.0/0            -m geoip
--source-country KR,CN,IN,RU,TR,VN,UA,BR,VE,JP  limit: avg 3/min burst 5 LOG
flags 0 level 4 prefix "[UFW COUNTRY BLOCK] "
DROP       all  --  0.0.0.0/0            0.0.0.0/0            -m geoip
--source-country KR,CN,IN,RU,TR,VN,UA,BR,VE,JP 
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0  


Note, I was thinking you might need to add xt_geoip to IPT_MODULES in
/etc/default/ufw, but they seemed to have autoloaded fine on boot.

-- 
Jamie Strandboge                 http://www.ubuntu.com/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to