I usually use this method to block access to my Zimbra server from international IP/outside. Only IP based on my country (Indonesia) who can access my Zimbra. Especially, access to Zimbra webmail, IMAP, POP, SMTP SSL/Submission, and Zimbra Admin.
If there are users who visited another country, they should confirm first to Zimbra Administrator. So, Zimbra Administrator can whitelist the Country code from the firewall (IPTABLES).
The guidance uses IPTABLES and XTABLES add ons to block access based on GeoIP. Below is how to do that
# Install Xtables and dependencies
apt-get install curl wget unzip perl xtables-addons-common xtables-addons-dkms libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl
modprobe xt_geoip
# Create directory GeoIP
mkdir /usr/share/xt_geoip/
# Download GeoIP databases
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
# Create iptables rules
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too
iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
# IPtables persistent
To make iptables rules auto load when booting, please install iptables-persistent
apt-get install iptables-persistent
# Configure auto start
For Ubuntu 14.04
/etc/init.d/iptables-persistent save update-rc.d iptables-persistent enable /etc/init.d/iptables-persistent restart
For Ubuntu 16.04 and latest
netfilter-persistent save systemctl enable netfilter-persistent systemctl restart netfilter-persistent
# Auto update databases
Create crontab to update GeoIP databases every night
30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/
Now, I can access my Zimbra only from Indonesia (or Singapore).
Good Luck 🙂
Thanks To:
– https://daenney.github.io/2017/01/07/geoip-filtering-iptables.html
– https://legacy-geoip-csv.ufficyo.com/
hi
can we apply this thing on centos pelsae provide the steps for centos …
Hi,
Yes, I am going to create the guidance too
sure plesae i am waiting for that 🙂 please do it as soon as possible
The article just released 🙂
iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT
Ist that tle local or public IP of the server?
In order to use this for other applications like SSH what do I have to change?
Hi Ahmed,
IP-OF-MY-ZIMBRA is IP address that listed on you server. You can check it using “ifconfig” or “ip a” command. You can use it for SSH. The different is on –dport. SSH is using port 22 (default)
How can i do this geoblock for all ports?
Hi Felipe,
You can ignore -p tcp –dport. So that like below
iptables -A INPUT -m geoip ! –src-cc VN -p tcp -m multiport –dport 80,110,143,443,465,587,993,995,7071 -j DROP
Could not open /usr/share/xt_geoip/VN.iv4: No such file or directory
iptables v1.8.4 (legacy): Could not read geoip database
Hi Lacdan,
Please check this file and make sure the file already exist
/usr/share/xt_geoip/VN.iv4: No such file or directory.
Hi currently im getting an issue it seems i cannot attach files after running this, i get that error
attaching file, but if i run with the internal ip it works
Hey Iman,
Thanks for the tutorial. Would this work with Ubuntu 22.04?
I
Hi David,
Yes, the guidance will work on Ubuntu 22.04. There is some folder location different. I usually use this one for Ubuntu 20: https://ultramookie.com/2020/10/geoip-blocking-ubuntu-20.04/
Hi Om Iman,
How to disable this setting if we have an issue?
Hello,
You can run this command
GeoIP databases no longer available at the specified address (*https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz*). Is there a new address ?
10x
Hi Igor,
You can use and download from maxmind directly. I will write about it later