You need the package versions from at least Debian 10 testing for this to work. Installing specific packages from the testing branch is beyond the scope of this article, but there are many tutorials online.
- Switch to legacy iptables (I did not try it with the new nftables packet filter that came with Debian 10):
sudo update-alternatives --config iptables There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). Selection Path Priority Status ------------------------------------------------------------ 0 /usr/sbin/iptables-nft 20 auto mode * 1 /usr/sbin/iptables-legacy 10 manual mode 2 /usr/sbin/iptables-nft 20 manual mode Press <enter> to keep the current choice[*], or type selection number: 1
- Install iptables module “geoip” (from testing) and dependencies:
sudo aptitude install xtables-addons-common/testing xtables-addons-dkms/testing libnet-cidr-lite-perl libtext-csv-xs-perl
- Make sure you have the right version (from Debian testing):
apt show xtables-addons-common ... Version: 3.5-0.1 ...
- Download and build geoip database (zipped CSV file from MaxMind):
sudo -i mkdir /usr/share/xt_geoip/ cd /usr/share/xt_geoip/ /usr/lib/xtables-addons/xt_geoip_dl cd GeoLite2-Country-CSV_* /usr/lib/xtables-addons/xt_geoip_build cp *iv? ..
- Check your iptables rules in INPUT chain. It should look something like this, if you already setup iptables:
# iptables --line-numbers -nL INPUT Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT ... 3 ACCEPT ... ... 8 LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW LOG flags 0 level 4 prefix "DROP input:"
- Add iptables rule to block all incoming traffic from e.g. Prague/Czech Republic. Make sure to insert the new rule after the RELATED/ESTABLISHED rule and before any other ACCEPT rules. In this example, the rule is inserted as line number 2.
iptables -I INPUT 2 -m geoip --src-cc CZ -j DROP
- In the second example we block all traffic except the one that is originating from the United States. TCP traffic is not simply dropped, but spoofed by the DELUDE target.
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP iptables -I INPUT 2 -p tcp -m geoip ! --src-cc US -j DELUDE
Important things to note:
- You have to reinstall package “xtables-addons-common” with every new kernel version because it is compiled during package installation using the current kernel source (see /usr/src/xtables-addons-*).
- For more information about the DELUDE target in the second example, see “man xtables-addons”. It spoofs nmap scans and makes it harder for port scanners to scan the destination host. It is only valid for TCP traffic.
Roland's Linux Blog 