Ubuntu IPTables allow only allow 1 country
You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:
# apt-get install xtables-addons-common
# mkdir /usr/share/xt_geoip
# apt-get install libtext-csv-xs-perl unzip
# /usr/lib/xtables-addons/xt_geoip_dl
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
This will allow you to do things like:
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
That would block any outgoing traffic to China (CN). The complexity of the rules is up to you, basically you don't need a script, just write down the rules you want to apply and then use iptables-save so they are loaded each time you reboot.
Related videos on Youtube
06 : 28
02 : 18
02 : 43
14 : 00
06 : 41
09 : 29
Austin Kregel
I am a web developer, I work mostly with PHP, HTML/CSS/JS, VueJS, and Laravel; however, I have touched on various other languages like Python, and C/C++. I have done a good chunk of work with Java, and the Android SDK. I have been focusing heavily on the Laravel framework, for the past few years, but before that I would just use straight PHP (without a framework). While backend development might be my specialty I do enjoy doing some web design, and plain ol' desktop app work.
Updated on September 18, 2022Comments
-
Austin Kregel over 1 year
So I've been looking around on the net for a script that will drop all traffic to all ports except the http(80) and https(443) ports, and then only allow traffic on all other ports from country x (where in my case country x is the US).
I don't want to add in all IPs from every country, I just want to allow ips from my country then block almost all other traffic from the outside world. No one outside of my country should have access to ssh, ftp, smtp, ect. other than myself. If this ever changes I will add a special case for it when it approaches.
Side Note
I must note that I did find a question which contains a script to ban ip by country using ip tables but that's a lot of extra inserting that I would have to do.
The script marked as the best answer will block all traffic from those IPs. I only want to block access to all ports except to 80 and 443.
Update
With the following rule,
iptables -A OUTPUT -m geoip --dst-cc CN -j DROPwould I be able to modify it and do something like
iptables -A OUTPUT -m geoip --dst-cc CN --dport 80 -j ACCEPT iptables -A OUTPUT -m geoip --dst-cc CN --dport 443 -j ACCEPT iptables -A OUTPUT -m geoip --dst-cc CN -j DROPI would assume that this would allow ips from china to access port 80 and port 443 and it would drop the rest. Would this assumption be correct? If not, why not?
Update 2
After some messing around I found that my version of Ubuntu doesn't like the
--dportattribute. So instead of using that those of us running Ubuntu 14+ (at least, I only have Ubuntu 14.04, 14.10, and 15.04 installed on some machines) will have to use-p PORT_NUMBER_OR_NAMESo that would look like
iptables -A OUTPUT -m geoip --dst-cc CN -p 443 -j ACCEPTor for incoming traffic,
iptables -A INPUT -m geoip --src-cc CN -p 443 -j ACCEPT -
Austin Kregel over 8 yearsThank you! I do have another question, I updated my question above to reflect it. Would you happen to know the answer to it?
-
nKn over 8 yearsThe rule would work but you have to change the direction of it, now it is
OUTPUTand you'd need to set it toINPUTand not use--dst-ccbut--src-ccinstead. But if the question is if it should work in combination of any other existingiptablesrule, the answer is yes. -
Martijn about 5 yearsthext_geoip_dlcommand no longer works, it requires a zip that doesnt exists anymore -
Admin about 2 yearsIt does work. However, you have tosudo chmod +x /usr/lib/xtables-addons/xt_geoip_buildandsudo mkdir /usr/share/xt_geoip(at least in Ubuntu 22.04)
