How to Block IP Addresses from Countries with Geoip Addon in Iptables

We will learn how we can block traffic originating from specific country IPs using GeoIP database and Linux IPTables. Iptables is a command-based utility for configuring the kernel of the Linux firewall that is being implemented as part of the Netfilter project. Whereas GeoIP is a collection of IP addresses corresponding to geographic locations, where geographic location is mapped to IP addresses allocated to those specific organizations, cities, regions and countries. Geographic coordinates in the GeoIP database are often located near the center of the population, so they should not be used to identify a specific address or household. With a module called xt_geoip, which consists of the Iptables xtables-addon and the GeoIP database.

Updating and installing dependencies

First of all, we have to upgrade our Linux system, and then we will move forward to install the dependencies that xtables-addons needs. In order to do this, we will run the following commands corresponding to the distributions running on our machine.

Debian based system (Debian, Ubuntu, Linux Mint)

# apt-get update && apt-get upgrade
# apt-get install iptables-dev xtables-addons-common libtext-csv-xs-perl pkg-config

RedHat based system (CentOS, RHEL, Fedora)

# yum update
# yum install gcc-c++ make automake kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

Installing xtables-addons

After our system is upgraded and all dependencies are installed, we will install xtables-addons on our machine. To do this, we will download the latest tarball from the official site of the xtables-addons project using wget. After it is downloaded, we will unpack the archive and then compile and install it on our machine.

# wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.13.tar.xz
# tar xf xtables-addons-2.13.tar.xz
# cd xtables-addons-2.13
# ./configure
# make
# make install

Allow SELinux to load modules (based on RedHat system)

Since distributions based on RedHat i.e. CentOS, RHEL, Fedora have SELinux enabled by default, we have to adjust the SELinux policy as follows. Otherwise, SELinux will prevent IPTables for the xt_geoip boot module.

# chcon -vR --user=system_u /lib/modules/$(uname -r)/extra/*.ko
# chcon -vR --type=lib_t /lib64/xtables/*.so

Installing the GeoIP Database

Next, we’ll run a module called xt_geoip that comes with the Xtables-addons extension, which downloads the GeoIP database from MaxMind and converts it to the binary form recognized by xt_geoip. After it is loaded, we will create it and move them to the desired path in xt_geoip, i.e. / usr / share / xt_geoip /.

# cd geoip
# ./xt_geoip_dl
# ./xt_geoip_build GeoIPCountryWhois.csv
# mkdir -p /usr/share/xt_geoip/
# cp -r {BE,LE} /usr/share/xt_geoip/

Blocking traffic from the country

If all went as expected, we should be able to use the IPTables utilities on our firewall to use the GeoIP module.

Using Iptables

Here is the basic syntax for using IPTables with the GeoIP module to block traffic originating from or destined for a country. Here we have to use two-letter code ISO3166 instead of a country, for example, RU for Russia, IE for Ireland, IN for India, CN for China, and so on.

# iptables -m geoip --src-cc country[,country...] --dst-cc country[,country...]

Now, if we want to block incoming traffic from India (IN) and United States of America (US), we will write the following command for Iptables.

# iptables -I INPUT -m geoip --src-cc IN,US -j DROP

If we want to block all incoming traffic outside of Russia on our server, we must follow these steps.

# iptables -I INPUT -m geoip ! --src-cc RU -j DROP

[email protected]:~# ping 213.159.209.228                                                                                                                         
PING 213.159.209.228 (213.159.209.228) 56(84) bytes of data.

When we tried to ping a server from a network outside Russia, we got no answers. Since the Iptables configuration was applied at runtime and was not saved, after we rebooted the server, we received ping responses from the server. If we want to block outgoing traffic destined for India (IN), we need to run the following command.

# iptables -A OUTPUT -m geoip --dst-cc IN -j DROP

Using firewalld

If we log into a Systemd based system and firewalld as the controller for the front end of IPTables, we can also use firewalld for the above task.

    # firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip --src-cc IN,UN -j DROP

    # firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m geoip ! --src-cc RU -j DROP

    # firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m geoip --dst-cc IN -j DROP

Iptables with GeoIP module is very important for preventing DOS, DDOS attacks from some countries. It is also very effective if you want to restrict access to your website / server from a specific country. Thus, having the GeoIP module installed with the iptables-addons is mandatory to have an installation to allow or deny certain countries. So, if you have any questions, suggestions, feedback, please write them in the comment box below. Thank you ! Good luck to you smile

Sidebar