If you are using Ubuntu, you can find similar guidance here: How to Block Access Based on GeoIP on Ubuntu.
In this guidance, I am using CentOS 7 with kernel 3.10 and xtables-addons 2.14. The latest release of xtables-addons when this article was written is version 3.9. However, the kernel and iptables versions on CentOS 7 do not match the minimum requirements with the latest version. So, the version of xtables-addons that matches the kernel 3.10 is version 2.x.
1. Install dependencies
yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget
2. Download and extract xtables-addons
cd /tmp/ wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.14.tar.xz tar -xvf xtables-addons-2.14.tar.xz
3. Disable Tarpit
cd xtables-addons-2.14 vi extensions/Kbuild
Put a comment in the line below
#obj-${build_TARPIT} += xt_TARPIT.o
if you don’t give a comment, you will see errors like below
In file included from include/uapi/linux/netfilter_ipv6.h:11:0, from include/linux/netfilter_ipv6.h:10, from /tmp/xtables-addons-2.14/extensions/xt_TARPIT.c:45: include/linux/netfilter.h:250:1: note: declared here NF_HOOK(uint8_t pf, unsigned int hook, struct sock *sk, struct sk_buff *skb, ^ make[4]: *** [/tmp/xtables-addons-2.14/extensions/xt_TARPIT.o] Error 1 make[3]: *** [_module_/tmp/xtables-addons-2.14/extensions] Error 2 make[3]: Leaving directory `/usr/src/kernels/3.10.0-1127.13.1.el7.x86_64' make[2]: *** [modules] Error 2 make[2]: Leaving directory `/tmp/xtables-addons-2.14/extensions' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/xtables-addons-2.14' make: *** [all] Error 2
4. Compile and install xtables-addons
./configure make make install
5. Enable module xt_geoip
modprobe xt_geoip
6. Create directory GeoIP
mkdir /usr/share/xt_geoip/
7. Download GeoIP databases
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
8. Create iptables rules
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too
iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
9. IPtables persistent
To make iptables rules auto load when booting, please install iptables-services
yum install iptables-services
10. Save, enable autostart and restart
service iptables save systemctl enable iptables systemctl restart iptables
11. Auto-update databases
Create crontab to update GeoIP databases every night
30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/
Now, I can only access my Zimbra from Indonesia (or Singapore).
Good Luck đŸ™‚
Nice manual, thanks. Other manuals I’ve seen doesn’t cover the problem with legacy maxmind database which is deprecated already. Your link to legacy-geoip-csv.ufficyo.com was very useful.
30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O – | tar -xvzf – -C /usr/share/xt_geoip
bash: 30: command not found…
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Can you please guide me; what went wrong?
Hi,
That line should be inserted on crontab. You should run crontab -e first and paste the line to the cron
While doing the ./configure I get the following error:
checking kernel version that we will build against… make: *** /lib/modules/3.10.0-1127.19.1.el7.x86_64/build: No such file or directory. Stop.
0.0.0.0 in /lib/modules/3.10.0-1127.19.1.el7.x86_64/build
WARNING: That kernel version is not officially supported.
Later while doing make I get this other:
make all-recursive
make[1]: Entering directory `/root/xtables-addons-2.14′
Making all in extensions
make[2]: Entering directory `/root/xtables-addons-2.14/extensions’
Xtables-addons 2.14 – Linux make: Entering an unknown directory
make: *** /lib/modules/3.10.0-1127.19.1.el7.x86_64/build: No such file or directory. Stop.
make: Leaving an unknown directory
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/root/xtables-addons-2.14/extensions’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/xtables-addons-2.14′
make: *** [all] Error 2
I already installed kernel-devel
Hi Jorge,
Please run update and upgrade first before applying this. Maybe your server has package that should be upgrade
I have same issue as Jorge I am running on CENTOS 7, any help would be appreciated
./configure –without-kbuild