How to Block IPs from Countries using Iptables Geoip Addons

geoip block ip iptables
We'll learn how we can block traffic originated from specific country IPs using GeoIP database and linux iptables. Iptables is a command based utility program for configuring the linux kernel firewall which is implemented within the Netfilter project. Whereas GeoIP is a collection of IPs corresponding with the geographical locations where the geographical location is mapped with the IP addresses allocated at those specific organization, city, state and countries. The geographical co-ordinates in the GeoIP database are the often near the center of the population so it should not be used to identify a particular address or household. And with the help of a module called xt_geoip consisting in an iptables extension xtables-addon and the GeoIP database, we'll perform country-based traffic filtering which helps us block or allow the traffic from a specific country.

Upgrading and Installing Dependencies

First of all, we'll need to upgrade our linux system and then we'll move ahead for the installation of the dependencies that is required for xtables-addons. In order to do so, we'll run the following commands respective to the distributions running in our machine.

Debian based system (Debian, Ubuntu, Linux Mint)

# apt-get update && apt-get upgrade
# apt-get install iptables-dev xtables-addons-common libtext-csv-xs-perl pkg-config

RedHat based system (CentOS, RHEL, Fedora)

# yum update
# yum install gcc-c++ make automake kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

Installing Xtables-addons

Once our system is upgraded and dependencies are installed, we'll now install the xtables-addons in our machine. To do so, we'll download the latest tarball from the official xtables-addons project site using wget. Once it's downloaded, we'll extract the tarball, then compile and install it in our machine.

# wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.13.tar.xz
# tar xf xtables-addons-2.13.tar.xz
# cd xtables-addons-2.13
# ./configure
# make
# make install

Allow SeLinux from loading modules (RedHat based System)

As the RedHat based linux distributions ie CentOS, RHEL, Fedora has selinux enabled by default, we'll need to adjust the selinux policy as follows. Otherwise, SeLinux will prevent iptables from loading xt_geoip module.

# chcon -vR --user=system_u /lib/modules/$(uname -r)/extra/*.ko
# chcon -vR --type=lib_t /lib64/xtables/*.so

Install GeoIP Database

Next, we'll run a module called xt_geoip that comes with the xtables-addons extension which downloads the GeoIP database from MaxMind and converts it into a binary form recognized by xt_geoip. Once it's downloaded, we'll build it and move them to the required xt_geoip path ie /usr/share/xt_geoip/  .

# cd geoip
# ./xt_geoip_dl
# ./xt_geoip_build GeoIPCountryWhois.csv
# mkdir -p /usr/share/xt_geoip/
# cp -r {BE,LE} /usr/share/xt_geoip/

install geoip database

Block traffic to and from a Country

If everything went as expected, we should now be able to use our firewall utilities program iptables to use the geoip module.

Using Iptables

Here's the basic syntax for using iptables with geoip module in order to block traffic originating from or destined to a country. Here, we need to use two-letter ISO3166 code in place of country , for eg., US for United States, IE for Ireland, IN for India, CN for China and so on.

# iptables -m geoip --src-cc country[,country...] --dst-cc country[,country...]
Now, if we want to block incoming traffic from India (IN) and United States (US), the following iptables command should do.
# iptables -I INPUT -m geoip --src-cc IN,US -j DROP
If we want to block all incoming non-US traffic on our server, we need to execute the following.
# iptables -I INPUT -m geoip ! --src-cc US -j DROP

ping non us blocked

Here's a screenshot I had taken when I tried to ping to the server from non-US network. I wasn't getting any replies from the ping. As the iptables configs were applied on the runtime and weren't saved, after I rebooted the server, then I got ping replies from the server.

ping success after reboot

If we want to block outgoing traffic destined to India (IN), we need to run the following command.
# iptables -A OUTPUT -m geoip --dst-cc IN -j DROP

Using firewalld

If we are running systemd based system and we have firewalld as frontend controller for iptables, we can also use firewalld for the above job respectively.

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip --src-cc IN,UN -j DROP

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip ! --src-cc US -j DROP

# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m geoip --dst-cc IN -j DROP

Iptables with GeoIP module is very essential for preventing DOS, DDOS attacks originating from certain countries. This is also very efficient when you want to restrict the access to your particular website/server from a certain country. So, having GeoIP module installed with iptables-addons is a must to have setup for allowing or restricting certain countries. So, if you have any questions, suggestions, feedback please write them in the comment box below. Thank you ! Enjoy :-)

About Arun Pyasi

Linux Enthusiast geek and Web Developer who loves Free and Open Source Software (FOSS). He is a FOSS activist who loves technology, hacking, blogging, travelling, research and development. He is the Founder/Lead Developer of Chitwanix OS.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.