This is the method that I used to implement IPtables blocking by country on my server (ISPConfig 3.0.3 - Debian Lenny 5.0.6 Perfect Server)
Credit goes to linus3x for pointing out the link that got me started
http://www.tuxj0b.de/GeoIP_for_iptables_on_Debian_Lenny
I basically followed all the directions there with a few additions for my environment.
First, I needed to add the package xz-utils because the latest xtables-addons package is in xz format.
Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://backports.debian.org/debian-backports lenny-backports main
Update the package lists
Install xz-utils
Code:
aptitude install xz-utils
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.
Next I wanted to update to a later version of iptables and add some other associated tools.
Edit apt sources
Code:
nano /etc/apt/sources.list
add the line
Code:
deb http://ftp.de.debian.org/debian squeeze main
Update the package lists
Install iptables and addons
Code:
apt-get -t testing install iptables
apt-get -t testing install iptables-dev
apt-get -t testing install xtables-addons-common
After this step i went back and removed the previously added line in sources.list just toprevent any future issues.
From the original instructions, install some other needed packages
Code:
aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
Next, create the necessary directories and download the needed GeoIPCountry files.
Code:
mkdir -p /var/geoip/LE /usr/src/GeoIP
wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
wget -O /usr/src/GeoIP/xtables-addons-1.31.tar.xz http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/1.31/xtables-addons-1.31.tar.xz
Next, extract all the files for install.
Code:
cd /usr/src/GeoIP
tar xf csv2bin-20041103.tar.gz
tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
unzip GeoIPCountryCSV.zip
xz -d xtables-addons-1.31.tar.xz
tar xf xtables-addons-1.31.tar
Next, configure and make xtables-addons.
Code:
cd xtables-addons-1.31
./configure --with-xtlibdir=/lib/xtables
make
make install
Next, make csv2bin
Code:
cd /usr/src/GeoIP/csv2bin
make
Next, run csv2bin on GeoIPCountryWhois.csv file. (I assume this just makes it a binary file)
Code:
cd /var/geoip
/usr/src/GeoIP/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv
Next,, run the GeoIP perl script on that file.
Code:
cd /var/geoip/LE
perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv
Next, create a symbolic link in /usr/share pointing xt_geoip to /var/geoip
Code:
cd /usr/share
ln -s /var/geoip/ xt_geoip
Finally, add the countries you wish to exclude using the 2 letter codes for that country. List to follow.
In the example below, I am excluding Ukraine, one of my big offenders.
Code:
iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc UA -j REJECT
iptables -A INPUT -j GEOIP_REJECT
To decide which countries you want to exclude, just investigate your mail logs and or your fail2ban log if you implemented the fail2ban postfix logging as in
http://www.howtoforge.com/forums/showthread.php?t=28781
(Thanks to edge for pointing that one out to me)
If you find later that you have blocked a country that your users need to send/receive mail from, you can add it back as below. Keep an eye on your mail queues, people.
If you add it back quickly enough, no one will know there was ever a block. Personally I prefer to just block and then remove it if it causes a problem. If you actually ask the users they will say they need to receive or send mail from everywhere, all the time. ; >
In my case, I noticed that I had some outgoing messages to Taiwan that were held in queue. So I want to unblock TAIWAN. The -D is for delete.
Code:
iptables -D GEOIP_REJECT -m geoip --src-cc TW -j REJECT
iptables -A INPUT -j GEOIP_REJECT
You can verify your blocks afterwards by using
For a list of commands, you can type
Code:
iptables -m geoip --help
I used
http://www.infosniper.net/index.php to find out where the IP addresses were located and went from there.
I have already added 28 countries to be blocked entirely. My incoming mail traffic due to spam has been reduced significantly and the reults were instantly visible.
If I did a tail -f of the mail log, before implementation it was almost too fast to even read, now it is at a much more reasonable pace.
I will see what the actual number reduction is after a couple of days.
Also the zip file containg the list of countries and IP ranges gets updated on a monthly basis. More info can be found at:
http://www.maxmind.com/app/geolitecountry
Here are the country codes.
Code:
74 ranges for A1 Anonymous Proxy
2054 ranges for A2 Satellite Provider
14 ranges for AD Andorra
297 ranges for AE United Arab Emirates
156 ranges for AF Afghanistan
117 ranges for AG Antigua and Barbuda
16 ranges for AI Anguilla
53 ranges for AL Albania
71 ranges for AM Armenia
72 ranges for AN Netherlands Antilles
108 ranges for AO Angola
289 ranges for AP Asia/Pacific Region
24 ranges for AQ Antarctica
678 ranges for AR Argentina
33 ranges for AS American Samoa
1649 ranges for AT Austria
2620 ranges for AU Australia
30 ranges for AW Aruba
124 ranges for AX Aland Islands
46 ranges for AZ Azerbaijan
106 ranges for BA Bosnia and Herzegovina
65 ranges for BB Barbados
307 ranges for BD Bangladesh
2740 ranges for BE Belgium
22 ranges for BF Burkina Faso
486 ranges for BG Bulgaria
73 ranges for BH Bahrain
14 ranges for BI Burundi
32 ranges for BJ Benin
72 ranges for BM Bermuda
15 ranges for BN Brunei Darussalam
73 ranges for BO Bolivia
480 ranges for BR Brazil
42 ranges for BS Bahamas
6 ranges for BT Bhutan
15 ranges for BV Bouvet Island
26 ranges for BW Botswana
76 ranges for BY Belarus
89 ranges for BZ Belize
7267 ranges for CA Canada
104 ranges for CD Congo, The Democratic Republic of the
10 ranges for CF Central African Republic
24 ranges for CG Congo
2473 ranges for CH Switzerland
46 ranges for CI Cote D'Ivoire
4 ranges for CK Cook Islands
396 ranges for CL Chile
61 ranges for CM Cameroon
998 ranges for CN China
480 ranges for CO Colombia
138 ranges for CR Costa Rica
16 ranges for CU Cuba
6 ranges for CV Cape Verde
381 ranges for CY Cyprus
864 ranges for CZ Czech Republic
12102 ranges for DE Germany
8 ranges for DJ Djibouti
1120 ranges for DK Denmark
19 ranges for DM Dominica
81 ranges for DO Dominican Republic
61 ranges for DZ Algeria
198 ranges for EC Ecuador
191 ranges for EE Estonia
233 ranges for EG Egypt
10 ranges for ER Eritrea
2641 ranges for ES Spain
12 ranges for ET Ethiopia
3236 ranges for EU Europe
935 ranges for FI Finland
19 ranges for FJ Fiji
4 ranges for FK Falkland Islands (Malvinas)
6 ranges for FM Micronesia, Federated States of
9 ranges for FO Faroe Islands
6214 ranges for FR France
41 ranges for GA Gabon
13028 ranges for GB United Kingdom
28 ranges for GD Grenada
100 ranges for GE Georgia
2 ranges for GF French Guiana
86 ranges for GG Guernsey
144 ranges for GH Ghana
53 ranges for GI Gibraltar
3 ranges for GL Greenland
8 ranges for GM Gambia
37 ranges for GN Guinea
18 ranges for GP Guadeloupe
12 ranges for GQ Equatorial Guinea
673 ranges for GR Greece
91 ranges for GT Guatemala
39 ranges for GU Guam
5 ranges for GW Guinea-Bissau
11 ranges for GY Guyana
1084 ranges for HK Hong Kong
94 ranges for HN Honduras
148 ranges for HR Croatia
29 ranges for HT Haiti
531 ranges for HU Hungary
706 ranges for ID Indonesia
1039 ranges for IE Ireland
700 ranges for IL Israel
94 ranges for IM Isle of Man
1472 ranges for IN India
7 ranges for IO British Indian Ocean Territory
526 ranges for IQ Iraq
377 ranges for IR Iran, Islamic Republic of
85 ranges for IS Iceland
2957 ranges for IT Italy
80 ranges for JE Jersey
73 ranges for JM Jamaica
91 ranges for JO Jordan
1730 ranges for JP Japan
151 ranges for KE Kenya
38 ranges for KG Kyrgyzstan
67 ranges for KH Cambodia
2 ranges for KI Kiribati
5 ranges for KM Comoros
56 ranges for KN Saint Kitts and Nevis
5 ranges for KP Korea, Democratic People's Republic of
622 ranges for KR Korea, Republic of
160 ranges for KW Kuwait
30 ranges for KY Cayman Islands
173 ranges for KZ Kazakhstan
14 ranges for LA Lao People's Democratic Republic
220 ranges for LB Lebanon
22 ranges for LC Saint Lucia
68 ranges for LI Liechtenstein
63 ranges for LK Sri Lanka
56 ranges for LR Liberia
10 ranges for LS Lesotho
369 ranges for LT Lithuania
368 ranges for LU Luxembourg
284 ranges for LV Latvia
97 ranges for LY Libyan Arab Jamahiriya
92 ranges for MA Morocco
40 ranges for MC Monaco
121 ranges for MD Moldova, Republic of
46 ranges for ME Montenegro
4 ranges for MF Saint Martin
20 ranges for MG Madagascar
6 ranges for MH Marshall Islands
69 ranges for MK Macedonia
14 ranges for ML Mali
3 ranges for MM Myanmar
51 ranges for MN Mongolia
30 ranges for MO Macau
5 ranges for MP Northern Mariana Islands
16 ranges for MQ Martinique
19 ranges for MR Mauritania
11 ranges for MS Montserrat
107 ranges for MT Malta
46 ranges for MU Mauritius
17 ranges for MV Maldives
41 ranges for MW Malawi
571 ranges for MX Mexico
478 ranges for MY Malaysia
45 ranges for MZ Mozambique
232 ranges for NA Namibia
27 ranges for NC New Caledonia
32 ranges for NE Niger
3 ranges for NF Norfolk Island
926 ranges for NG Nigeria
74 ranges for NI Nicaragua
6252 ranges for NL Netherlands
1063 ranges for NO Norway
54 ranges for NP Nepal
3 ranges for NR Nauru
1 ranges for NU Niue
620 ranges for NZ New Zealand
18 ranges for OM Oman
173 ranges for PA Panama
129 ranges for PE Peru
9 ranges for PF French Polynesia
21 ranges for PG Papua New Guinea
441 ranges for PH Philippines
267 ranges for PK Pakistan
2532 ranges for PL Poland
4 ranges for PM Saint Pierre and Miquelon
842 ranges for PR Puerto Rico
42 ranges for PS Palestinian Territory, Occupied
586 ranges for PT Portugal
4 ranges for PW Palau
43 ranges for PY Paraguay
34 ranges for QA Qatar
7 ranges for RE Reunion
977 ranges for RO Romania
259 ranges for RS Serbia
4061 ranges for RU Russian Federation
14 ranges for RW Rwanda
381 ranges for SA Saudi Arabia
3 ranges for SB Solomon Islands
36 ranges for SC Seychelles
46 ranges for SD Sudan
2106 ranges for SE Sweden
868 ranges for SG Singapore
366 ranges for SI Slovenia
391 ranges for SK Slovakia
42 ranges for SL Sierra Leone
14 ranges for SM San Marino
22 ranges for SN Senegal
30 ranges for SO Somalia
19 ranges for SR Suriname
4 ranges for ST Sao Tome and Principe
89 ranges for SV El Salvador
48 ranges for SY Syrian Arab Republic
22 ranges for SZ Swaziland
13 ranges for TC Turks and Caicos Islands
20 ranges for TD Chad
10 ranges for TG Togo
362 ranges for TH Thailand
27 ranges for TJ Tajikistan
10 ranges for TK Tokelau
3 ranges for TL Timor-Leste
6 ranges for TM Turkmenistan
18 ranges for TN Tunisia
4 ranges for TO Tonga
654 ranges for TR Turkey
34 ranges for TT Trinidad and Tobago
1 ranges for TV Tuvalu
465 ranges for TW Taiwan
131 ranges for TZ Tanzania, United Republic of
2282 ranges for UA Ukraine
53 ranges for UG Uganda
11 ranges for UM United States Minor Outlying Islands
19724 ranges for US United States
85 ranges for UY Uruguay
48 ranges for UZ Uzbekistan
6 ranges for VA Holy See (Vatican City State)
21 ranges for VC Saint Vincent and the Grenadines
236 ranges for VE Venezuela
90 ranges for VG Virgin Islands, British
134 ranges for VI Virgin Islands, U.S.
151 ranges for VN Vietnam
6 ranges for VU Vanuatu
2 ranges for WF Wallis and Futuna
24 ranges for WS Samoa
19 ranges for YE Yemen
3 ranges for YT Mayotte
579 ranges for ZA South Africa
85 ranges for ZM Zambia
70 ranges for ZW Zimbabwe
English | 
Deutsch
HOWTO: Implement iptables blocking by Country
Things to still be worked out.
Linear Mode
Recent comments
8 hours 23 min ago
9 hours 23 min ago
13 hours 10 min ago
14 hours 24 min ago
18 hours 57 sec ago
1 day 1 hour ago
1 day 10 hours ago
1 day 11 hours ago
2 days 2 hours ago
2 days 5 hours ago