Blocking based on geographical locations like countries need a list of IP ranges allocated to this by IANA.
Now you have two options
- To get the list of IP ranges and create the IP tables rules your self
- To have module in Iptables which works above
Luckily there is module for iptables which can work as above following below guide
Allow or block whole countries
5.1 Install xtables-addons
You can install the xtables-addons module using various methods, feel free to use the installation method that works best for you.
Step:1 Install
# apt-get install iptables curl unzip perl # apt-get install xtables-addons-common # apt-get install libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl
Step : 2 Get the counties list and convert them
download the original workout from github..
https://github.com/mschmitt/GeoLite2xtables
Step : 3 Convert the New GeoLite2 table..
# mkdir /usr/share/xt_geoip
# cd /usr/local/src/GeoLite2xtables/
# ./00_download_geolite2
# ./10_download_countryinfo
# cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv |./20_convert_geolite2 /tmp/CountryInfo.txt > /usr/share/xt_geoip/GeoIP-legacy.csv
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip /usr/share/xt_geoip/GeoIP-legacy.csv
Step : 4 Loading the module to the kernel
# modprobe xt_geoip # lsmod | grep ^xt_geoip
Step : 5 Test: the GeoIP loaded Loaded Properly…
Just type on the console..
# iptables -m geoip –help
How to Block lets say China, Russia, Hong kong, The Black list mode , You can omit — dport 25 if u want ALL traffic to block
iptables -A INPUT -m geoip -p tcp –dport 25 –src-cc RU,CN,HK -j DROPHow to Block ALL Except Saudi Arabia The White list mode , You can omit — dport 25 if u want ALL traffic to block
iptables -A INPUT -m geoip -p tcp –dport 25 ! –src-cc SA -j DROP