How to setup iptables on CentOS 6 to easily ACCEPT/DENY based on source country:
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` iptables-devel perl-Text-CSV_XS
wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.47/xtables-addons-1.47.1.tar.xz
tar xvf xtables*; cd xtables*; ./configure; make; make install
cd geoip/
./xt_geoip_dl
./xt_geoip_build GeoIPCountryWhois.csv
mkdir -p /usr/share/xt_geoip/
cp -r {BE,LE} /usr/share/xt_geoip/
Test it like this:
iptables -I INPUT -m geoip –src-cc CN -j DROP
This is good for some DROP rules.
But be carefull if you allow some rules only with geoip. With first kernel upgrade you have to reinstall geoip.
That’s true! I actually got bit by that. Luckily the module still recompiled on the new kernel without any issues.