Project closed

geoip for iptables

In firewall it is possible to filter by country. It is very useful to block certain countries or to balance the requests to different backends, each of which handles its region.

Now WorldIP database exists in the format for geoip module from the extension package xtables-addons for iptables. Using this module, you can build more flexible rules for iptables, based on IP-geolocation.
  • Installation of xtables-addons: The standard process of compilation and installation. Download the latest version (for iptables>= 1.4.3) and extract.
    If you have an older version, e.g. in Lenny 1.4.2, and you do not want to update it, you should download xtables-addons v1.12.
    xtables-addons contains many interesting modules, as e.g. TARPIT. You may choose any modules in the file "mconfig". "build_geoip = m" should remain in config file, than the geoip will be compiled.

    Install the necessary dependencies (for debian-based):
    aptitude -y install iptables-dev linux-headers-`uname -r`
    ./configure --with-xtlibdir=/lib/xtables
    make install
    Check, if the installation is successful:
    iptables -m geoip --help
  • Installation of the database for geoip
    Already prepared database can be downloaded here. The database should be placed in /var/geoip (this is hardcoded in the source code). The database can be updated with cron (e.g. once a month), so that it remains actual.
  • Examples
    • Allow ssh for own country(DE) and the country where you take holidays(FR)
      iptables -A INPUT -p tcp --dport 22 -m geoip --src-cc DE,FR -j ACCEPT
      iptables -A INPUT -p tcp --dport 22 -j DROP
    • Block access to FTP server for Papua New Guinea (PG)
      iptables -A INPUT -p tcp --dport 21 -m geoip --src-cc PG -j DROP
      iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    • Use separate marks for USA and the others, and send each type of traffic to its own destination
      iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc US -d <IP> -j MARK --set-mark 1
      iptables -A INPUT -p tcp --dport 80 -m geoip ! --src-cc US -d <IP> -j MARK --set-mark 2