Last active
February 10, 2025 12:58
-
-
Save woods/25ef91a95da85bf10974 to your computer and use it in GitHub Desktop.
iptables geoip xtables firewall by country
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is an example of how to use xtables / xt_geoip to block requests | |
| # based on their source/destination country. | |
| # | |
| # It can be computationally expensive to have tons of iptables rules. | |
| # According to the bottom of the following page, this xt_geoip is probably | |
| # about as efficient as can be for doing this kind of thing: | |
| # http://xtables-addons.sourceforge.net/geoip.php | |
| # Install packages | |
| apt-get install xtables-addons-common libtext-csv-xs-perl unzip | |
| # Create the directory where the country data should live | |
| mkdir /usr/share/xt_geoip | |
| # Download and install the latest country data | |
| mkdir /tmp/xt_geoip_dl | |
| cd /tmp/xt_geoip_dl | |
| /usr/lib/xtables-addons/xt_geoip_dl | |
| /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv | |
| # Test it out. Singapore should get blocked, but anywhere else should get | |
| # through. Test it on your VPS provider by firing up a couple machines in | |
| # different countries. | |
| iptables -I INPUT 1 -m geoip --src-cc SG -j DROP |
Thanks for this, it was helpful. The xtables-addons directory was in /usr/libexec for me(Oracle Ubuntu 20.04), so those lines would be:
/usr/libexec/xtables-addons/xt_geoip_dl
/usr/libexec/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This failed on Linode. They don't include the kernel module, so we'd have to download the linux source, then compile and load the module.