iptables + geoip blocking

March 31st, 2013 by Russell Leave a reply »

How to setup iptables on CentOS 6 to easily ACCEPT/DENY based on source country:

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel perl-Text-CSV_XS

wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.1.tar.xz

tar xvf xtables*; cd xtables*; ./configure; make; make install

cd geoip/

./xt_geoip_dl

./xt_geoip_build GeoIPCountryWhois.csv

mkdir -p /usr/share/xt_geoip/

cp -r {BE,LE} /usr/share/xt_geoip/

Test it like this:
iptables -I INPUT -m geoip –src-cc CN -j DROP

2 comments

  1. Aas says:

    This is good for some DROP rules.
    But be carefull if you allow some rules only with geoip. With first kernel upgrade you have to reinstall geoip.

  2. Russell says:

    That’s true! I actually got bit by that. Luckily the module still recompiled on the new kernel without any issues.

Leave a Reply