everything seems ok here
am I missing anything?
Yes.
/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
{
$OUT .=<<'EOF';
# A blacklist chain for xtables-addons GEOIP
/sbin/iptables --new-chain XTGeoIP
/sbin/iptables --new-chain XTGeoIP_1
/sbin/iptables --append XTGeoIP -j XTGeoIP_1
/sbin/iptables --insert INPUT 1 \
-j XTGeoIP
EOF
}
I think that this:
/sbin/iptables --insert INPUT 1 \
Inserts the rule above every other rule - including RiffRaff.
So you only get to the Riffraff block AFTER GeoIP no matter where you add the RiffRaff template.
So effectively a RiffRaff block will be checked AFTER it is checked for GeoIP and will then ONLY block IPs that are permitted by GeoIP.
Try blocking a IP that you see blocked by GeoIP. You would think that GeoIP would never see it, but it is still there.
Took me ages to realise what was going on!
You could of course add say
--INSERT 1
to your RiffRaff rule to put it above GeoIP.
(all based on observation and my limited knoweledge of IPTables !!)
Proof if required.
[root@esmith masq]# iptables -L INPUT -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 413M 164G XTGeoIP all -- any any anywhere anywhere
2 412M 164G Fail2Ban all -- any any anywhere anywhere
3 412M 164G state_chk all -- any any anywhere anywhere
4 4647K 313M local_chk all -- any any anywhere anywhere
5 0 0 denylog all -- any any base-address.mcast.net/4 anywhere
6 0 0 denylog all -- any any anywhere base-address.mcast.net/4
7 0 0 DROP all -- any any 193.47.61.13 anywhere <<<< See this?
8 88733 3869K InboundICMP icmp -- any any anywhere anywhere
9 0 0 denylog icmp -- any any anywhere anywhere
I have a config entry for my RiffRaff:
ipblock=configuration
DenyHosts=193.47.61.13/32
So that DROP is after GeoIP.