Iptables Geoblocking

Hello everyone, thanks for having me for a new episode of “I’m trying but not succeeding because I’m dumb”.
As the title suggests I’m trying to implement geoblocking in order to allow only IPs from my country to reach my services since I’m not travelling or doing anything that requires access from other countries.

I did my do diligence looking on the internet various ways to implement this and the only ones that made sense, to me, are based on the xtables + geoip database. But, even the most recent implementation, doesen’t work due to the geoip database not being available anymore.
At this point I don’t know how to work around this issue beside making quadrillion of rules for all the IP ranges in the ASN list for my country.

I’m not really that good with iptables rules and can only understand the most basic ones so I don’t know if there’s a way around that DB not being available anymore.


I was researching to do something very similar just a few days ago. But I’m looking to apply those rules toward my iptables forward chain for my VPN clients. I’ll be keeping a close on this thread to see what others suggest that I might benefit from too.

But the reason why I replied was to say MaxMind’s GeoLite2 DB is still free but does require registration. After you login it will generate a license key that can be inserted into a curl’able URL to download a complete country list.

1 Like

I didn’t know about it! I’m looking into it right now, thanks!

Sure, you’re more than welcome to stick around. If you find something feel free to share.

UPDATE: I’m screwed because nobody had the sensible idea to tell you how to use their damn scripts and stuff to work with the DB downloaded outside of their scripts.

I’ve been digging around in this repo to find how it works, where it’s expecting the files and no matter where I put them the service always errors out.

Sooooooo… if you want to go down a rabbit hole I did find something the other day that I think might work. But of course I haven’t tried it yet, hence my reservation in suggesting it to you. There is a firewall configuration script which has baked in support for GeoLIte2 and will allow you to block by ISO country code. Again, explore at the risk of wasting more of your time :upside_down_face:

Config Firewall & Security Script (cfs)

And here’s some company’s KB article confirming it works with the new MaxMind licensing.


1 Like

I appreciate you sticking to something you tried. But this is now, at least for me, a “desperate” situation (in the broadest sense of the term possible, obviously) so I’m totally willing to go down any rabbit hole that might lead to something.

I have a burner OS installation just for this so that I can nail down one thing that works and stick with that for the new final setup.

Thanks again!

And one more URL to lead you astray. :joy:

This one uses alternative DB

1 Like

I talked to someone about this before,

I’m kind of in a time crunch at the moment, ip2location offers csv or ranges that can be curl’ed and loaded into ipset, or maybe quickly post processed with awk or similar and then loaded.

1 Like

Thanks for having chimed in.

All the info you gave where more than clear enough. I may have stumbled upon this website in my manic search for a solution to my problem, but didn’t pay enough attention to it.

I looked at CSF and the update that can be applied to work with the GeoLite2 database. Looks interesting, but maybe I can put all the rules in from a script like risk said using the GeoLite2 as a source.

Doesen’t look as insane as I first thought, but it could get messy.

All these answers really helped me!