How to Block Access Based on GeoIP on Ubuntu

Posted by

I usually use this method to block access to my Zimbra server from international IP/outside. Only IP based on my country (Indonesia) who can access my Zimbra. Especially, access to Zimbra webmail, IMAP, POP, SMTP SSL/Submission, and Zimbra Admin.

If there are users who visited another country, they should confirm first to Zimbra Administrator. So, Zimbra Administrator can whitelist the Country code from the firewall (IPTABLES).

The guidance uses IPTABLES and XTABLES add ons to block access based on GeoIP. Below is how to do that

# Install Xtables and dependencies

apt-get install curl wget unzip perl xtables-addons-common xtables-addons-dkms libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl
modprobe xt_geoip

# Create directory GeoIP

mkdir /usr/share/xt_geoip/

# Download GeoIP databases

wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

# Create iptables rules

iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT
iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too

iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

# IPtables persistent
To make iptables rules auto load when booting, please install iptables-persistent

apt-get install iptables-persistent

# Configure auto start
For Ubuntu 14.04

/etc/init.d/iptables-persistent save
update-rc.d iptables-persistent enable
/etc/init.d/iptables-persistent restart

For Ubuntu 16.04 and latest

netfilter-persistent save
systemctl enable netfilter-persistent
systemctl restart netfilter-persistent

# Auto update databases
Create crontab to update GeoIP databases every night

30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/

Now, I can access my Zimbra only from Indonesia (or Singapore).

Good Luck 🙂

Thanks To:
https://daenney.github.io/2017/01/07/geoip-filtering-iptables.html
https://legacy-geoip-csv.ufficyo.com/

15 comments

  1. iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT

    Ist that tle local or public IP of the server?

    In order to use this for other applications like SSH what do I have to change?

    1. Hi Ahmed,
      IP-OF-MY-ZIMBRA is IP address that listed on you server. You can check it using “ifconfig” or “ip a” command. You can use it for SSH. The different is on –dport. SSH is using port 22 (default)

  2. iptables -A INPUT -m geoip ! –src-cc VN -p tcp -m multiport –dport 80,110,143,443,465,587,993,995,7071 -j DROP
    Could not open /usr/share/xt_geoip/VN.iv4: No such file or directory
    iptables v1.8.4 (legacy): Could not read geoip database

  3. Hi currently im getting an issue it seems i cannot attach files after running this, i get that error
    attaching file, but if i run with the internal ip it works

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.