iptables are shielded according to the specified country (installation and use of GEOIP module)

iptables are shielded according to the specified country (installation and use of GEOIP module)

This process is suitable for Centos7* system

1, Install iptables addons (geoip module)

1. Download lux source
wget http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm

2. Install lux source
rpm -ivh lux-release-7-1.noarch.rpm --force --nodeps

3. Install xtables addons
yum -y install kmod-xtables-addons
yum -y install xtables-addons

Be sure to install kmod xtables addons first and then xtables addons. The latter depends on the former

4. Dynamic loading xt_geoip kernel module (need to be re executed every time you restart)
insmod /lib/modules/3.10.0-327.36.2.el7.centos.plus.x86_64/extra/xtables-addons/xt_geoip.ko

The advantage of using insmod is that the whole deployment process does not need to restart the server. Another way to do it once and for all is to update the kernel to the latest kernel through Yum - y install kernel devel in the first step, then execute steps 1, 2 and 3, and restart the server after execution. After this operation, there is no need to run step 4 and reload XT each time_ Geoip kernel module.

2, Get a global IP library in CSV format

1. Visit maxfind website

2. Create account

Registered address: https://www.maxmind.com/en/geolite2/signup?lang=en This registered address is not easy to find.

Create an account according to the guidance process, during which email verification is required.

3. Log in to the account and enter the user center

On the left navigation bar of the user center, you can see the Download Files option to enter this page

4. Download IP library in CSV format

On the Download Files page, select geolite2 country: CSV format at the bottom, and click Download ZIP on the right to download.

5. Unzip the downloaded compressed package to get the CSV format IP library

3, Convert the CSV format IP library downloaded from the official website to a format recognized by iptables

1. Create format conversion script

#	Converter for MaxMind CSV database to binary, for xt_geoip
#	Copyright © Jan Engelhardt, 2008-2011
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;

my $csv = Text::CSV_XS->new({
	allow_whitespace => 1,
	binary => 1,
	eol => $/,
}); # or Text::CSV
my $target_dir = ".";

	"D=s" => \$target_dir,

if (!-d $target_dir) {
	print STDERR "Target directory $target_dir does not exist.\n";
	exit 1;
foreach (qw(LE BE)) {
	my $dir = "$target_dir/$_";
	if (!-e $dir && !mkdir($dir)) {
		print STDERR "Could not mkdir $dir: $!\n";
		exit 1;


sub collect
	my %country;

	while (my $row = $csv->getline(*ARGV)) {
		if (!defined($country{$row->[4]})) {
			$country{$row->[4]} = {
				name => $row->[5],
				pool_v4 => [],
				pool_v6 => [],
		my $c = $country{$row->[4]};
		if ($row->[0] =~ /:/) {
			     [&ip6_pack($row->[0]), &ip6_pack($row->[1])]);
		} else {
			push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
		if ($. % 4096 == 0) {
			print STDERR "\r\e[2K$. entries";

	print STDERR "\r\e[2K$. entries total\n";
	return \%country;

sub dump
	my $country = shift @_;

	foreach my $iso_code (sort keys %$country) {
		&dump_one($iso_code, $country->{$iso_code});

sub dump_one
	my($iso_code, $country) = @_;
	my($file, $fh_le, $fh_be);

	printf "%5u IPv6 ranges for %s %s\n",
		$iso_code, $country->{name};

	$file = "$target_dir/LE/".uc($iso_code).".iv6";
	if (!open($fh_le, "> $file")) {
		print STDERR "Error opening $file: $!\n";
		exit 1;
	$file = "$target_dir/BE/".uc($iso_code).".iv6";
	if (!open($fh_be, "> $file")) {
		print STDERR "Error opening $file: $!\n";
		exit 1;
	foreach my $range (@{$country->{pool_v6}}) {
		print $fh_be $range->[0], $range->[1];
		print $fh_le &ip6_swap($range->[0]), &ip6_swap($range->[1]);
	close $fh_le;
	close $fh_be;

	printf "%5u IPv4 ranges for %s %s\n",
		$iso_code, $country->{name};

	$file = "$target_dir/LE/".uc($iso_code).".iv4";
	if (!open($fh_le, "> $file")) {
		print STDERR "Error opening $file: $!\n";
		exit 1;
	$file = "$target_dir/BE/".uc($iso_code).".iv4";
	if (!open($fh_be, "> $file")) {
		print STDERR "Error opening $file: $!\n";
		exit 1;
	foreach my $range (@{$country->{pool_v4}}) {
		print $fh_le pack("VV", $range->[0], $range->[1]);
		print $fh_be pack("NN", $range->[0], $range->[1]);
	close $fh_le;
	close $fh_be;

sub ip6_pack
	my $addr = shift @_;
	$addr =~ s{::}{:!:};
	my @addr = split(/:/, $addr);
	my @e = (0) x 8;
	foreach (@addr) {
		if ($_ eq "!") {
			$_ = join(':', @e[0..(8-scalar(@addr))]);
	@addr = split(/:/, join(':', @addr));
	$_ = hex($_) foreach @addr;
	return pack("n*", @addr);

sub ip6_swap
	return pack("V*", unpack("N*", shift @_));

Create file xt_geoip_build and write the contents of the script to the file. Run chmod -x xt_geoip_build gives executable permissions to files

2. Install XT_ geoip_ Dependencies required by build script
yum -y install perl-Text-CSV_XS

3. Convert csv format ip library to geoip module format
mkdir /usr/share/xt_geoip
./xt_geoip_build -D /usr/share/xt_geoip *.csv

*. CSV points to the CSV format IP library file obtained in the previous step*

At this point, the GEOIP module is installed and configured

4, Use the iptables command to mask countries

1. Block visiting users from China, the United States and Hong Kong
iptables -I INPUT -m geoip --src-cc CN,US,HK -j DROP

2, shielding all visitors except Chinese mainland.
iptables -I INPUT -m geoip ! --src-cc CN -j DROP

3. Check the geoip module instructions
iptables -m geoip -h

Keywords: Linux CentOS iptables server Cyber Security

Added by calavera on Thu, 10 Feb 2022 01:03:20 +0200