Hola Venturinog, eso hice, y sigue entrando por HTTPS y HTTPS, te adjunto como quedaron las reglas.
Lo extraño es que debajo de las reglas del GEOIP tengo otras reglas y no se aplican, no aparecen, y obviamente abajo está la de reject any any para el resto de puertos. Además antes de las reglas de GEOIP tengo reject al puerto HTTPS y HTTP y no está funcionando, entre desde la calle por HTTP y HTTPS sin problema con las dos reglas de GEOIP activas, las desactivo y ahí si rechaza.
Pero entonces que debo hacer? debo dejar las de GEOIP al final final? o al principio de todas?
Saludos
[root@VisionPBX ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-asterisk-udp udp -- anywhere anywhere multiport dports 0:65535
f2b-asterisk-ami tcp -- anywhere anywhere multiport dports 5038
f2b-asterisk-tcp tcp -- anywhere anywhere multiport dports 0:65535
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-apache-shellshock tcp -- anywhere anywhere multiport dports http,https
f2b-apache-modsecurity tcp -- anywhere anywhere multiport dports http,https
f2b-apache-fakegooglebot tcp -- anywhere anywhere multiport dports http,https
f2b-apache-botsearch tcp -- anywhere anywhere multiport dports http,https
f2b-apache-nohome tcp -- anywhere anywhere multiport dports http,https
f2b-apache-overflows tcp -- anywhere anywhere multiport dports http,https
f2b-apache-noscript tcp -- anywhere anywhere multiport dports http,https
f2b-apache-badbots tcp -- anywhere anywhere multiport dports http,https
f2b-apache-auth tcp -- anywhere anywhere multiport dports http,https
f2b-sshd-ddos tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ISSABEL_INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ISSABEL_FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ISSABEL_OUTPUT all -- anywhere anywhere
Chain ISSABEL_FORWARD (1 references)
target prot opt source destination
ISSABEL_FORWARD_GEOIP all -- anywhere anywhere
Chain ISSABEL_FORWARD_GEOIP (1 references)
target prot opt source destination
Chain ISSABEL_INPUT (1 references)
target prot opt source destination
ISSABEL_INPUT_GEOIP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere (loopback)
ACCEPT icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp spt:https dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:http dpt:http reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
Chain ISSABEL_INPUT_GEOIP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere -m geoip --source-country CO
DROP all -- anywhere anywhere -m geoip --source-country AO,BF,BI,BJ,BW,CD,CF,CG,CI,CM state NEW
DROP all -- anywhere anywhere -m geoip --source-country CV,DJ,DZ,EG,ER,ET,GA,GH,GM,GN state NEW
DROP all -- anywhere anywhere -m geoip --source-country GQ,GW,KE,KM,LR,LS,LY,MA,MG,ML state NEW
DROP all -- anywhere anywhere -m geoip --source-country MR,MU,MW,MZ,NA,NE,NG,RE,RW,SC state NEW
DROP all -- anywhere anywhere -m geoip --source-country SD,SH,SL,SN,SO,ST,SZ,TD,TG,TN state NEW
DROP all -- anywhere anywhere -m geoip --source-country CY,GE,HK,ID,IL,IN,IO,IQ,IR,JO state NEW
DROP all -- anywhere anywhere -m geoip --source-country JP,KG,KH,KP,KR,KW,KZ,LA,LB,LK state NEW
DROP all -- anywhere anywhere -m geoip --source-country MM,MN,MO,MV,MY,NP,OM,PH,PK,PS state NEW
DROP all -- anywhere anywhere -m geoip --source-country QA,SA,SG,SY,TH,TJ,TL,TM,TR,TW state NEW
DROP all -- anywhere anywhere -m geoip --source-country UZ,VN,YE,AD,AL,AT,AX,BA,BE,BG state NEW
DROP all -- anywhere anywhere -m geoip --source-country BY,CH,CZ,DE,DK,EE,ES,FI,FO,FR state NEW
DROP all -- anywhere anywhere -m geoip --source-country GB,GG,GI,GR,HR,HU,IE,IM,IS,IT state NEW
DROP all -- anywhere anywhere -m geoip --source-country JE,LI,LT,LU,LV,MC,MD,ME,MK,MT state NEW
DROP all -- anywhere anywhere -m geoip --source-country NL,NO,PL,PT,RO,RS,RU,SE,SI,SJ state NEW
DROP all -- anywhere anywhere -m geoip --source-country SK,SM,UA,VA,AG,AI,AW,BB,BL,BM state NEW
DROP all -- anywhere anywhere -m geoip --source-country BS,BZ,CA,CR,CU,DM,DO,GD,GL,GP state NEW
DROP all -- anywhere anywhere -m geoip --source-country GT,HN,HT,JM,KN,KY,LC,MF,MQ,MS state NEW
DROP all -- anywhere anywhere -m geoip --source-country MX,NI,PA,PM,PR,SV,TC,TT,US,VC state NEW
DROP all -- anywhere anywhere -m geoip --source-country VG,AS,AU,CK,FJ,FM,GU,KI,MH,MP state NEW
DROP all -- anywhere anywhere -m geoip --source-country NC,NF,NR,NU,NZ,PF,PG,PN,PW,SB state NEW
DROP all -- anywhere anywhere -m geoip --source-country TK,TO,TV,UM,VU,WF,WS,AR,BO,BR state NEW
DROP all -- anywhere anywhere -m geoip --source-country CL,EC,FK,GY,PY,PE,SR,UY,VE state NEW
Chain ISSABEL_OUTPUT (1 references)
target prot opt source destination
ISSABEL_OUTPUT_GEOIP all -- anywhere anywhere
Chain ISSABEL_OUTPUT_GEOIP (1 references)
target prot opt source destination
Chain f2b-apache-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-botsearch (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-fakegooglebot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-modsecurity (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-nohome (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-shellshock (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-ami (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Si no activo las reglas de GEOIP ahí si salen todas:
[root@VisionPBX ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-asterisk-udp udp -- anywhere anywhere multiport dports 0:65535
f2b-asterisk-ami tcp -- anywhere anywhere multiport dports 5038
f2b-asterisk-tcp tcp -- anywhere anywhere multiport dports 0:65535
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-apache-shellshock tcp -- anywhere anywhere multiport dports http,https
f2b-apache-modsecurity tcp -- anywhere anywhere multiport dports http,https
f2b-apache-fakegooglebot tcp -- anywhere anywhere multiport dports http,https
f2b-apache-botsearch tcp -- anywhere anywhere multiport dports http,https
f2b-apache-nohome tcp -- anywhere anywhere multiport dports http,https
f2b-apache-overflows tcp -- anywhere anywhere multiport dports http,https
f2b-apache-noscript tcp -- anywhere anywhere multiport dports http,https
f2b-apache-badbots tcp -- anywhere anywhere multiport dports http,https
f2b-apache-auth tcp -- anywhere anywhere multiport dports http,https
f2b-sshd-ddos tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ISSABEL_INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ISSABEL_FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ISSABEL_OUTPUT all -- anywhere anywhere
Chain ISSABEL_FORWARD (1 references)
target prot opt source destination
ISSABEL_FORWARD_GEOIP all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ISSABEL_FORWARD_GEOIP (1 references)
target prot opt source destination
Chain ISSABEL_INPUT (1 references)
target prot opt source destination
ISSABEL_INPUT_GEOIP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp spt:https dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:http dpt:http reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT udp -- anywhere anywhere udp dpts:avt-profile-1:qcp <- de esta para abajo no se aplican si habilito las reglas de GEOIP...¿?
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-4
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:upnotifyp
ACCEPT udp -- anywhere anywhere udp dpt:iax
ACCEPT tcp -- 192.168.100.0/24 anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ISSABEL_INPUT_GEOIP (1 references)
target prot opt source destination
Chain ISSABEL_OUTPUT (1 references)
target prot opt source destination
ISSABEL_OUTPUT_GEOIP all -- anywhere anywhere
Chain ISSABEL_OUTPUT_GEOIP (1 references)
target prot opt source destination
Chain f2b-apache-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-botsearch (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-fakegooglebot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-modsecurity (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-nohome (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-shellshock (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-ami (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-asterisk-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere