Re: [leaf-user] geoip

[Otto H. - T. <ott...@te...>]

Dears,

I'll answer for myself.
I updated the APU to latest V7.5.0 x86_64 and geoip doesn't work here 
either.

So I tried many versions and the last working version with filtering 
according to geoip country codes is V6.2.7.

All versions of 7.X can't filter by country code.
The 7.X versions probably do not have country code filtering enabled in 
the kernel.

Best regards
Otto


Dne 21.03.2025 v 20:16 Otto Halák - TeleLarm napsal(a):
> Dears,
> running V7.5.0-rc1
> 
> Installed geoip and xt_add packages.
> 
> Put xt_geoip module to /etc/modules:
> lsmod | grep xt_geo*
> xt_geoip 12288 0 - Live 0xffffffffc066f000 (O)
> x_tables 36864 16 xt_comment,ipt_REJECT,xt_addrtype,iptable_nat,
> xt_mark,iptable_mangle,xt_tcpudp,xt_CT,iptable_raw,xt_multiport,
> xt_conntrack,xt_NFLOG,xt_LOG,iptable_filter,ip_tables,xt_geoip,
> Live 0xffffffffc065b000
> 
> Path in shorewall config to geoip database is correct:
> GEOIPDIR=/usr/share/xt_geoip/LE
> 
> APU is LE:
> echo -n I | od -to2 | head -n1 | cut -f2 -d" " | cut -c6
> 1
> 
> The database is on the right place:
> ls /usr/share/xt_geoip/LE
> A1.iv4  BH.iv6  CO.iv4  FM.iv6  HT.iv4  KY.iv6  MQ.iv4  PE.iv6  SI.iv4
> A1.iv6  BI.iv4  CO.iv6  FO.iv4  HT.iv6  KZ.iv4  MQ.iv6  PF.iv4  SI.iv6
> A2.iv4  BI.iv6  CR.iv4  FO.iv6  HU.iv4  KZ.iv6  MR.iv4  PF.iv6  SJ.iv4
> A2.iv6  BJ.iv4  CR.iv6  FR.iv4  HU.iv6  LA.iv4  MR.iv6  PG.iv4  SJ.iv6
> AD.iv4  BJ.iv6  CU.iv4  FR.iv6  ID.iv4  LA.iv6  MS.iv4  PG.iv6  SK.iv4
> etc...
> 
> The same database I use on older machine where it works like a charm.
> 
> But shorewall still complain when compiling rules:
> ERROR: A country-code require GeoIP Match in your kernel and iptables / 
> etc/shorewall/rules (line 96)
> 
> Any idea what might be wrong?
> 
> Otto
>