Page 1 of 1
IPSET configured correctly, not working
Posted: 18 Aug 2015, 16:07
by leptserkhan
Hello, I am running ubuntu server 14.04 LTS and have checked that:
ipset is supported in the kernel: Yes.
that the correct path is enbled to ipset: yes
I have enabled it in csf.conf with country lists such as, for testing: uk, ru, hk
However, when restart with csf -e and view the ensuing output, I see:
Try `iptables -h' or 'iptables --help' for more information.
csf: IPSET creating set cc_"uk"
iptables v1.4.21: Set cc_uk doesn't exist.
Additionally those countries are not being blocked.
Thanks.
Re: IPSET configured correctly, not working
Posted: 18 Aug 2015, 16:10
by ForumAdmin
UK is not a valid Country Code, it should be GB:
https://en.wikipedia.org/wiki/ISO_3166-1
Additionally, the error suggests that you have anomalous double quotes in your country code list in csf.conf
Re: IPSET configured correctly, not working
Posted: 18 Aug 2015, 16:47
by leptserkhan
Thanks for the heads up. I corrected those issues and it's still not working.
Here is the output from IP tables after correcting as you indicated. I vpn in from those countries and can still view the website hosted. I've checked with ipchicken.com and indeed the vpn is originating from those countries.
Chain CC_DENY (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set cc_gb src
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set cc_cn src
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set cc_ru src
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set cc_my src
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set cc_nl src
Re: UPDATE: IPSET configured correctly, not working
Posted: 18 Aug 2015, 21:11
by leptserkhan
Update: I notice that in /var/lib/csf the csf.cclookup file is empty but the csf.block.MAXMIND has entries -- would this account for the country blocking not working whilst ipset is turned on?
Re: IPSET configured correctly, not working
Posted: 19 Aug 2015, 09:51
by ForumAdmin
The next step would be to see if your IP is included in the list and not whitelisted:
If the IP is not listed, it won't be blocked. If it is in csf.allow, it won't be blocked. If it is listed in the deny list and nowhere else, then it would appear that IPSET is not working for some reason and you should try disabling LF_IPSET then restart csf and then lfd and try again.
Re: IPSET configured correctly, not working
Posted: 19 Aug 2015, 13:58
by leptserkhan
Thank you. I'm talking about an ip address that is from another country (other than US, for example, GB or RU) that is not being blocked, not my own network IP. I can't see how the instructions would apply. . .
That is, I am attempting to us the CC block feature and it's not working, whether or not I use IPSET or not.
Is there a command line to see what netblocks or ips are being blocked by the country block feature when it is turned on? It seems to me the file with the name csf.cclookup would contain blocked country lists, no?
I have whitelisted my personal IPs under csf.allow, but I can't see how that would affect country blocks given that those IPs originate in the US and are not of a foreign origin.