Categories
Sysadmin

block countries based on Geo-IP with iptables Ubuntu 16 and 18

Blocking based on geographical locations like countries need a list of IP ranges allocated to this by IANA.

Now you have two options

  1. To get the list of IP ranges and create the IP tables rules your self
  2. To have module in Iptables which works above

Luckily there is module for iptables which can work as above following below guide

Allow or block whole countries

5.1 Install xtables-addons

You can install the xtables-addons module using various methods, feel free to use the installation method that works best for you.

Step:1 Install

# apt-get install iptables curl unzip perl
# apt-get install xtables-addons-common
# apt-get install libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl

Step : 2 Get the counties list and convert them

download the original workout from github..
https://github.com/mschmitt/GeoLite2xtables

Step : 3 Convert the New GeoLite2 table..

# mkdir /usr/share/xt_geoip 
# cd /usr/local/src/GeoLite2xtables/ 
# ./00_download_geolite2 
# ./10_download_countryinfo 
# cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/GeoIP-legacy.csv 
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip /usr/share/xt_geoip/GeoIP-legacy.csv

Step : 4 Loading the module to the kernel

# modprobe xt_geoip
# lsmod | grep ^xt_geoip

Step : 5 Test: the GeoIP loaded Loaded Properly…
Just type on the console..

# iptables -m geoip –help

How to Block lets say China, Russia, Hong kong, The Black list mode , You can omit — dport 25 if u want ALL traffic to block

iptables -A INPUT -m geoip -p tcp –dport 25 –src-cc RU,CN,HK -j DROP

How to Block ALL Except Saudi Arabia The White list mode , You can omit — dport 25 if u want ALL traffic to block

iptables -A INPUT -m geoip -p tcp –dport 25 ! –src-cc SA -j DROP