11

So I've been looking around on the net for a script that will drop all traffic to all ports except the http(80) and https(443) ports, and then only allow traffic on all other ports from country x (where in my case country x is the US).

I don't want to add in all IPs from every country, I just want to allow ips from my country then block almost all other traffic from the outside world. No one outside of my country should have access to ssh, ftp, smtp, ect. other than myself. If this ever changes I will add a special case for it when it approaches.

Side Note

I must note that I did find a question which contains a script to ban ip by country using ip tables but that's a lot of extra inserting that I would have to do.

The script marked as the best answer will block all traffic from those IPs. I only want to block access to all ports except to 80 and 443.

Update

With the following rule,

iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

would I be able to modify it and do something like

iptables -A OUTPUT -m geoip --dst-cc CN --dport 80 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN --dport 443 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

I would assume that this would allow ips from china to access port 80 and port 443 and it would drop the rest. Would this assumption be correct? If not, why not?

Update 2

After some messing around I found that my version of Ubuntu doesn't like the --dport attribute. So instead of using that those of us running Ubuntu 14+ (at least, I only have Ubuntu 14.04, 14.10, and 15.04 installed on some machines) will have to use -p PORT_NUMBER_OR_NAME

So that would look like

iptables -A OUTPUT -m geoip --dst-cc CN -p 443 -j ACCEPT

or for incoming traffic,

iptables -A INPUT -m geoip --src-cc CN -p 443 -j ACCEPT

2 Answers 2

7

You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:

# apt-get install xtables-addons-common
# mkdir /usr/share/xt_geoip
# apt-get install libtext-csv-xs-perl unzip
# /usr/lib/xtables-addons/xt_geoip_dl
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv

This will allow you to do things like:

iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

That would block any outgoing traffic to China (CN). The complexity of the rules is up to you, basically you don't need a script, just write down the rules you want to apply and then use iptables-save so they are loaded each time you reboot.

4
  • Thank you! I do have another question, I updated my question above to reflect it. Would you happen to know the answer to it? Commented Nov 5, 2015 at 17:24
  • The rule would work but you have to change the direction of it, now it is OUTPUT and you'd need to set it to INPUT and not use --dst-cc but --src-cc instead. But if the question is if it should work in combination of any other existing iptables rule, the answer is yes.
    – nKn
    Commented Nov 5, 2015 at 17:29
  • the xt_geoip_dl command no longer works, it requires a zip that doesnt exists anymore
    – Martijn
    Commented Apr 19, 2019 at 13:28
  • It does work. However, you have to sudo chmod +x /usr/lib/xtables-addons/xt_geoip_build and sudo mkdir /usr/share/xt_geoip (at least in Ubuntu 22.04) Commented Apr 29, 2022 at 11:26
0

If somebody comes across this and it doesn't work for Ubuntu 22.04.4 LTS (Jammy). For me I had to use the updated pre packaged location I found here: https://inai.de/projects/xtables-addons/geoip.php

So the steps for me where:

You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:

# sudo apt install xtables-addons-common
# sudo mkdir /usr/share/xt_geoip
# sudo apt install libtext-csv-xs-perl unzip
# ./usr/libexec/xtables-addons/xt_geoip_dl
# ./usr/libexec/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv

This will allow you to do things like:

sudo iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

And:

sudo iptables -A INPUT -m geoip --dst-cc CN -j DROP

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .