This is a little tutorial for adding GeoIP support to iptables in Debian Lenny. GeoIP maps real world locations to IP networks. With GeoIP support in iptables, you can restrict access to certian locations.

In my tutorial I will restrict access for countries, which are causing a security threat to hosted services. For short, ban the damn Chinese. :)

aptitude install libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev

mkdir -p /var/geoip/LE /usr/src/GeoIP
wget -O /usr/src/GeoIP/GeoIPCountryCSV.zip http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
wget -O /usr/src/GeoIP/csv2bin-20041103.tar.gz http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
wget -O /usr/src/GeoIP/geoip_src.tar.bz2 http://jengelh.medozas.de/files/geoip/geoip_src.tar.bz2
wget -O /usr/src/GeoIP/xtables-addons-1.21.tar.bz2 http://downloads.sourceforge.net/project/xtables-addons/1.21/xtables-addons-1.21.tar.bz2

cd /usr/src/GeoIP
tar xf csv2bin-20041103.tar.gz
tar xf geoip_src.tar.bz2 geoip_csv_iv0.pl
unzip GeoIPCountryCSV.zip
tar xf xtables-addons-1.21.tar.bz2

cd xtables-addons-1.21
./configure --with-xtlibdir=/lib/xtables
make
make install

cd /usr/src/GeoIP/csv2bin
make

cd /var/geoip
/usr/src/csv2bin/csv2bin /usr/src/GeoIP/GeoIPCountryWhois.csv

cd /var/geoip/LE
perl /usr/src/GeoIP/geoip_csv_iv0.pl /usr/src/GeoIP/GeoIPCountryWhois.csv

Now we can add rules for keeping certian countries out.

iptables -N GEOIP_REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc CN -j REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc KR -j REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc KP -j REJECT
iptables -I GEOIP_REJECT -m geoip --src-cc TW -j REJECT

iptables -A INPUT -j GEOIP_REJECT