PanderMusubi/geoipblock

Block network traffic for IP addresses of specific countries

Voor Nederlands, zie README-nl.md

geoipblock

Block network traffic for IP addresses of specific countries.

The only good is knowledge and the only evil is ignorance. — Socrates (469 – 399 BC) Greek philosopher in Athens

This manual describes how to use xtables-addons to drop incoming and outgoing network packages for all ports on IP-based geographical location. See also https://inai.de/projects/xtables-addons/geoip.php and https://codeberg.org/jengelh/xtables-addons for more information.

In case your organization uses network hardware from Cisco Systems, Juniper, etc. it is also possible to configure blocking on IP-based geographical locations.

(For Debian, see below.)

Ubuntu 24.04 LTS Noble Numbat

This distribution offers xtables-addons 3.25. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 23.10 Mantic Minotaur

This distribution offers xtables-addons 3.24. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 23.04 Lunar Lobster

This distribution offers xtables-addons 3.23. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 22.10 Kinetic Kudu

This distribution offers xtables-addons 3.21. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 22.04 LTS Jammy Jellyfish

This distribution offers xtables-addons 3.19. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 21.10 Impish Indri

This distribution offers xtables-addons 3.18. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 21.04 Hirsute Hippo

This distribution offers xtables-addons 3.13. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 20.04 LTS Focal Fossa

This distribution offers xtables-addons 3.9. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo chmod a+x /usr/lib/xtables-addons/xt_geoip_build
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip/ > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Ubuntu 18.04 LTS Bionic Beaver

This distribution offers xtables-addons 3.0. Here xtables-addons uses only the maxmind geo IP database. However, that database is now available under another URL than xtables-addons expects. Additionally, this version of xtables-addons is rather old.

This manual does not yet have a workaround for the database issue, but contributing a workaround is welcome.

Debian 13 Trixie

This distribution offers xtables-addons 3.25. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Debian 12 Bookworm

This distribution offers xtables-addons 3.23. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Debian 11 Bullseye

This distribution offers xtables-addons 3.13. Install software packages with

sudo apt-get install -y xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo mkdir /usr/share/xt_geoip/

Create the file /etc/cron.daily/xt_geoip containing

#!/bin/sh -e
workdir=$(mktemp -d)
cd ${workdir}
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -s > /dev/null
cd && rm -rf ${workdir}

and give that file execution rights with

sudo chmod a+x /etc/cron.daily/xt_geoip

Testing

Test the installation with

sudo modprobe xt_geoip
lsmod | grep ^xt_geoip
sudo /etc/cron.daily/xt_geoip; echo $?
ls /usr/share/xt_geoip/

WARNING: The following commands can lock you and all others out of your machine!

Look up the country codes of the countries to block at https://db-ip.com/faq.php and note there are also some additional codes available. Use the codes instead of XX,YY below. An example is BY,CH,HK,IR,KP,RU.

Block incoming network packages by adding these rules

iptables -I INPUT -m geoip --src-cc XX,YY -j DROP
ip6tables -I INPUT -m geoip --src-cc XX,YY -j DROP

Also block outgoing network packages by adding these rules

iptables -A OUTPUT -m geoip --dst-cc XX,YY -j DROP
ip6tables -A OUTPUT -m geoip --dst-cc XX,YY -j DROP

Up to and including version 3.23, the maximum number of countries to block is fifteen. The maximum number of countries since version 3.25 is 31. All rules can be listed with

sudo iptables -L --line-numbers
sudo ip6tables -L --line-numbers

Testing can be done for example on a mobile device by using a free VPN from Android app stores such as Google Play and F-Droid or the App Store for iOS. This might not offer the specific countries to block, but for testing temporarily via the freely available countries, this is useful.

Rules can be deleted with

sudo iptables -D INPUT 1
sudo iptables -D OUTPUT 1
sudo ip6tables -D INPUT 1
sudo ip6tables -D OUTPUT 1

where the number is the line number of the rule to delete.

Configuration

Make the iptables command persistent by first saving the current configuration with

iptables-save > rules
ip6tables-save > rules6

This can result in an empty file or something that looks like

# Generated by iptables-save ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
...
COMMIT
# Completed on ...

Only if the lines with -I INPUT -m geoip ... -j DROP of -A OUTPUT -m geoip ... -j DROP are missing continue with the following edit instruction. Change both files by only adding these two lines

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-I INPUT -m geoip --src-cc XX,YY -j DROP
...
-A OUTPUT -m geoip --dst-cc XX,YY -j DROP
COMMIT

Store and activate the new configuration with

iptables-restore < rules
ip6tables-restore < rules6

Check the resulting changes with

sudo iptables -L -v
sudo ip6tables -L -v

Deinstallation

Deinstallations can be done with

sudo apt-get purge xtables-addons-common libtext-csv-xs-perl libnet-cidr-lite-perl
sudo apt-get -y autoremove
sudo rm -rf /usr/share/xt_geoip/

Troubleshooting

Effect of the test or persistent configuration can be monitored with

tail -f /var/log/kern.log

See also

See also:

• https://packages.ubuntu.com/search?keywords=xtables-addons
• https://packages.debian.org/search?keywords=xtables-addons
• https://software.opensuse.org/package/xtables-addons
• https://wiki.ubuntu.com/Releases
• https://wiki.debian.org/DebianReleases