Iptables geo filtering

alirz1 · May 21, 2018, 2:56pm

I just compiled a LEDE build for my wrt1900ac. i selected most iptables addons that i think should support geo filtering. However when i try to run the iptables command with geo filtering it gives an error:

iptables -A INPUT -m geoip ! --src-cc CN,CO,SG,YC,OD,ES -i eth1.2 -m conntrack --ctstate NEW -j DROP
Error loading shared library libnetfilter_conntrack.so.3: No such file or directory (needed by /usr/sbin/iptables)
Error loading shared library libnfnetlink.so.0: No such file or directory (needed by /usr/sbin/iptables)

i have the following iptables packages installed on the router:
iptables-mod-geoip
kmod-ipt-geoip
kmod-ipt-conntrack
kmod-ipt-conntrack-extra
kmod-nf-conntrack
kmod-nf-conntrack6

what else could i be missing? Thanks

mikma · May 22, 2018, 2:27pm

You seem to be missing at least libnetfilter-conntrack and libnfnetlink.

# opkg search /usr/lib/libnetfilter_conntrack.so.3
libnetfilter-conntrack - 1.0.6-1

# opkg search /usr/lib/libnfnetlink.so.0
libnfnetlink - 1.0.1-1

alirz1 · May 23, 2018, 7:55pm

Thanks. While ive sorted out the setup and all. But looks like the block rule is working/or getting triggered.

i can see the geoip block rule in my firewall. However when i test by coming into my home from the outside (using a vpn to seem like im coming from one of the blocked coutries). Im still able to hit my internal webserver, etc…And i dont see the packaets being dropped on my firewall.
Just wondering where can i get more help on this, From the looks of it, my setup it correct.

alirz1 · May 25, 2018, 8:33pm

Does anyone know if the package "xtables-addons" exists in openwrt/LEDE. I cannot find it anywhere in the build environment.

tmomas · May 25, 2018, 8:54pm

https://openwrt.org/packages/table/start?dataofs=50&dataflt[Name_pkg-dependencies*~]=xtables

anomeome · May 25, 2018, 8:58pm

Appears like it should be, there was a FS marked as fixed, it is there under feeds/, but...

alirz1 · May 26, 2018, 12:22am

Thanks. but that is a useless post.

alirz1 · May 26, 2018, 12:26am

But for some reason it doesnt show in the feed:

lede$ scripts/feeds search xtables
Search results in feed 'packages':
iptables-mod-account     	ACCOUNT iptables extension
iptables-mod-chaos       	CHAOS iptables extension
iptables-mod-condition   	Condition iptables extension
iptables-mod-delude      	DELUDE iptables extension
iptables-mod-dhcpmac     	DHCPMAC iptables extension
iptables-mod-dnetmap     	DNETMAP iptables extension
iptables-mod-fuzzy       	fuzzy iptables extension
iptables-mod-geoip       	geoip iptables extension
iptables-mod-iface       	iface iptables extension
iptables-mod-ipmark      	IPMARK iptables extension
iptables-mod-ipp2p       	IPP2P iptables extension
iptables-mod-ipv4options 	ipv4options iptables extension
iptables-mod-length2     	length2 iptables extension
iptables-mod-logmark     	LOGMARK iptables extension
iptables-mod-lscan       	lscan iptables extension
iptables-mod-lua         	Lua PacketScript iptables extension
iptables-mod-psd         	psd iptables extension
iptables-mod-quota2      	quota2 iptables extension
iptables-mod-sysrq       	SYSRQ iptables extension
iptables-mod-tarpit      	TARPIT iptables extension
iptaccount               	iptables-mod-account control utility
iptgeoip                 	iptables-mod-geoip support scripts for MaxMind GeoIP databases
kmod-ipt-compat-xtables  	API compatibilty layer netfilter module

jeff · May 26, 2018, 12:29am

lede_source$ find feeds -name Makefile -exec fgrep -H  "xtables-addons" {} \;
feeds/packages/net/xtables-addons/Makefile:PKG_NAME:=xtables-addons
feeds/packages/net/xtables-addons/Makefile:PKG_SOURCE_URL:=@SF/xtables-addons
feeds/packages/net/xtables-addons/Makefile:define Package/xtables-addons
[...]

alirz1 · May 26, 2018, 12:35am

ok. while i can also find it in the same path using the find command. i cannot find the 'xtables-addons' as a package that i can select to be inclluded in my build.Sorry im not an expert at development. Just enough knowledge to compile a custom image using the LEDE build environment.
see attached picture when i search in the make menuonfig interface. I only find those two entries.
xtables

jeff · May 26, 2018, 12:53am

Even with enabling

PKG_BUILD_DEPENDS:=iptables

I don't find it either. Might be a bug in the package or the build system as it should be under Network > Firewall

define Package/xtables-addons
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=Firewall
  TITLE:=Extensions not distributed in the main Xtables
  URL:=http://xtables-addons.sourceforge.net/
endef

alirz1 · May 26, 2018, 1:20am

Thanks for the help. Would you know where/whom i could report this to in case this is a bug ?

alirz1 · June 7, 2018, 6:12pm

Does anyone know where i can report this as there seems to be a missing module that doesnt show up in make menuconfig.

lleachii · June 7, 2018, 8:29pm

https://github.com/openwrt/packages/issues/new
https://bugs.lede-project.org/
(I also moved this thread to the Developer's section)

Ansuel · June 8, 2018, 7:33pm

If you want I can make a pr to include the missing module

alirz1 · June 9, 2018, 2:17pm

Thanks. but i did open an issue on github at: https://github.com/openwrt/packages/issues/6234