Easily install and configure GeoIP for use with iptables which enables you to block/allow entire countries.

README.md

Configure GeoIP for iptables

This script configures GeoIP for use with iptables. Installs Linux headers, uses xtables-addons, uses latest db-ip.com database, fixes dependencies, loads xt_geoip module.

Supports colored message using ANSI escape codes. 😎

Run the script as root or with sudo.

Script Functionality

• Installs latest Linux headers
• Downloads xtables-addons version 3.25 from here: https://inai.de/files/xtables-addons/
• Ensures the existence of /usr/share/xt_geoip
• Provides a link to download the db-ip.com CSV file
  • db-ip.com uses Cloudflare, so we can't use wget/curl to download
  • The script will provide you with the latest URL to download and instructions on where to move it
• Extracts the CSV file from the archive
• Generates the GeoIP database with xt_geoip_build
• The now-unneeded CSV file will be removed
• Fixes dependencies
• Loads xt_geoip

iptables commands

Block a Specific Country

iptables -I INPUT -m geoip --src-cc XX -j DROP

Replace XX with the country code you want to block.

Block All Countries Except One

iptables -I INPUT -m geoip ! --src-cc YY -j DROP

Replace YY with the only country code you want to allow.

References

• https://inai.de/projects/xtables-addons/
• https://inai.de/projects/xtables-addons/geoip.php
• https://think.unblog.ch/en/geoip-firewall-configuration-on-debian-and-ubuntu/
• https://www.seenlyst.com/blog/geo-blocking-ufw-iptables/

install-geoip.sh

#!/bin/bash

# Exit on error
set -e

# Install prerequisites
echo -e "\033[32mInstalling prerequisites...\033[0m"
apt update
apt -y install curl unzip perl libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl pkg-config

# Install Linux headers
echo ""
echo -e "\033[32mInstalling current Linux headers...\033[0m"
apt install linux-headers-$(uname -r) -y

# Download and install xtables-addons
XTA_VERSION="3.25"
XTA_URL="https://inai.de/files/xtables-addons/xtables-addons-${XTA_VERSION}.tar.xz"
XTA_DIR="/tmp/xtables-addons-${XTA_VERSION}"

echo ""
echo -e "\033[32mDownloading xtables-addons version ${XTA_VERSION}...\033[0m"
curl -L ${XTA_URL} -o /tmp/xtables-addons-${XTA_VERSION}.tar.xz

echo ""
echo -e "\033[32mExtracting xtables-addons...\033[0m"
tar xf /tmp/xtables-addons-${XTA_VERSION}.tar.xz -C /tmp/

echo ""
echo -e "\033[32mBuilding and installing xtables-addons...\033[0m"
cd ${XTA_DIR}
./configure
make
make install
cd ..
rm -rf ${XTA_DIR} /tmp/xtables-addons-${XTA_VERSION}.tar.xz

# GeoIP database update
echo ""
echo -e "\033[32mPreparing to update GeoIP database...\033[0m"
GEOIP_DIR="/usr/share/xt_geoip/"
DATE=$(date +'%Y-%m')
GEOIP_URL="https://download.db-ip.com/free/dbip-country-lite-${DATE}.csv.gz"
GEOIP_CSV_GZ_FILE="${GEOIP_DIR}dbip-country-lite-${DATE}.csv.gz"
GEOIP_CSV_FILE="${GEOIP_DIR}dbip-country-lite-${DATE}.csv"

# Create the GeoIP directory if it doesn't exist
mkdir -p ${GEOIP_DIR}

echo ""
echo -e "\033[34mPlease download the GeoIP database using your web browser due to Cloudflare restrictions.\033[0m"
echo -e "\033[34mDownload URL:\033[0m ${GEOIP_URL}"
echo -e "\033[34mThen upload the file to this path:\033[0m ${GEOIP_CSV_GZ_FILE}"

# Wait until the file is present
while true; do
    echo "Press enter to continue after uploading the file..."
    read -r _  # Waits for user to press enter, ignoring the input
    if [ -f "${GEOIP_CSV_GZ_FILE}" ]; then
        echo "File detected. Continuing with the process."
        break # Exit the loop if file is found
    else
        echo -e "\033[33mFile not found. Please ensure the file is saved to ${GEOIP_DIR} and try again.\033[0m"
    fi
done

echo ""
echo -e "\033[32mExtracting GeoIP CSV file...\033[0m"
cd ${GEOIP_DIR}
gunzip "${GEOIP_CSV_GZ_FILE}" -f

echo ""
echo -e "\033[32mLocating and running xt_geoip_build...\033[0m"

# Define possible locations for xt_geoip_build
POSSIBLE_LOCATIONS=(
    "/usr/lib/xtables-addons/xt_geoip_build"
    "/usr/libexec/xtables-addons/xt_geoip_build"
    "/usr/local/lib/xtables-addons/xt_geoip_build"
    "/usr/local/libexec/xtables-addons/xt_geoip_build"
)

GEOIP_BUILD=""
for location in "${POSSIBLE_LOCATIONS[@]}"; do
    if [ -f "$location" ]; then
        GEOIP_BUILD="$location"
        break
    fi
done

if [ -z "$GEOIP_BUILD" ]; then
    echo -e "\033[31mError: Could not find xt_geoip_build script in any known location\033[0m"
    echo "Searching for xt_geoip_build in the system..."
    FOUND_PATH=$(find / -name "xt_geoip_build" 2>/dev/null)
    
    if [ -n "$FOUND_PATH" ]; then
        echo -e "\033[32mFound xt_geoip_build at: $FOUND_PATH\033[0m"
        GEOIP_BUILD="$FOUND_PATH"
    else
        echo -e "\033[31mFatal: xt_geoip_build script not found anywhere in the system\033[0m"
        exit 1
    fi
fi

echo -e "\033[32mBuilding the GeoIP database with xtables-addons...\033[0m"
mv ${GEOIP_CSV_FILE} dbip-country-lite.csv
"$GEOIP_BUILD" -D /usr/share/xt_geoip *.csv
rm -f ${GEOIP_CSV_FILE}

# Dependency fix and module load
echo ""
echo -e "\033[32mFixing dependencies with depmod and loading xt_geoip module...\033[0m"
depmod
modprobe xt_geoip

# Verify module loading
if lsmod | grep -q "^xt_geoip"; then
    echo -e "\033[32mxt_geoip module successfully loaded.\033[0m"
else
    echo -e "\033[31mFailed to load xt_geoip module. Please check manually.\033[0m"
fi

echo ""
echo "----------------------------------------"
echo ""
echo -e "\033[32mComplete!\033[0m"
echo ""
echo "iptables is now ready to use with GeoIP module!"
echo ""

# Tabbed iptables lines
echo -e "\033[34mTo block a specific country, use the following command:\033[0m"
echo -e "\tiptables -I INPUT -m geoip --src-cc XX -j DROP"
echo -e "\033[33mReplace XX with the country code you want to block.\033[0m"
echo ""
echo -e "\033[34mTo block all countries except your own, use the following command:\033[0m"
echo -e "\tiptables -I INPUT -m geoip ! --src-cc YY -j DROP"
echo -e "\033[33mReplace YY with your country code.\033[0m"
echo ""