How to Block Access Based on GeoIP on CentOS 7 [iptables]

In this guidance, I am using CentOS 7 with kernel 3.10 and xtables-addons 2.14. The latest release of xtables-addons when this article was written is version 3.9. However, the kernel and iptables versions on CentOS 7 do not match the minimum requirements with the latest version. So, the version of xtables-addons that matches the kernel 3.10 is version 2.x.

Before install dependency, please update the kernel to the lastest, or if current kernel is the booting kernel after install finish, disable update kernel.

1. Install dependencies

yum install gcc gcc-c++ iptables-devel kernel-devel \
  kernel-devel-`uname -r` wget autoconf automake \
  libtool pkg-config m4 git perl-NetAddr-IP \
perl-Text-CSV_XS perl-Net-CIDR-Lite perl-CPAN.noarch

2. Download and extract xtables-addons

cd
/usr/bin/perl -MCPAN -e'install NetAddr::IP'
/usr/bin/perl -MCPAN -e'install NetAddr::IP'
/usr/bin/perl -MCPAN -e'install Getopt::Long'
/usr/bin/perl -MCPAN -e'install Text::CSV_XS'

cd
git clone https://github.com/mschmitt/GeoLite2xtables.git
cd GeoLite2xtables/
echo YOUR_LICENSE_KEY=\'YfB9ZaIBL7b341lV\' > geolite2.license
./00_download_geolite2
./10_download_countryinfo
cat /tmp/GeoLite2-Country-Blocks-IPv{4,6}.csv | ./20_convert_geolite2 /tmp/CountryInfo.txt > /root/GeoIP-legacy.csv

cd 
wget https://inai.de/files/xtables-addons/xtables-addons-2.14.tar.xz
tar xvf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14

3. Disable Tarpit

cd xtables-addons-2.14
vi extensions/Kbuild

Put a comment in the line below

#obj-${build_TARPIT}      += xt_TARPIT.o

4. Compile and install xtables-addons

./configure
make
make install

cd
./xtables-addons-2.14/geoip/./xt_geoip_build GeoIP-legacy.csv
mkdir -p /usr/share/xt_geoip
cp -a BE /usr/share/xt_geoip/
cp -a LE /usr/share/xt_geoip/

5. Enable module xt_geoip

modprobe xt_geoip

8. Create iptables rules

iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT
iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too

iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/

FROM : https://imanudin.net/2020/07/06/how-to-block-access-based-on-geoip-on-centos-7/

Account ID

212004

License key

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

Related Posts

About jason