How to Block Access Based on GeoIP on CentOS 6

Posted by

If you are using CentOS 7, you can find similar guidance here: How to Block Access Based on GeoIP on CentOS 7. If you are using Ubuntu, you can find similar guidance here: How to Block Access Based on GeoIP on Ubuntu.

In this guidance, I am using CentOS 6 with kernel 2.6.32 and xtables-addons 1.47. The latest release of xtables-addons when this article was written is version 3.11. However, the kernel and iptables versions on CentOS 6 do not match the minimum requirements with the latest version. So, the version of xtables-addons that matches the kernel 2.6 is version 1.x.

1. Install dependencies

yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget xz perl

2. Download and extract xtables-addons

cd /tmp/
wget -c
tar -xvf xtables-addons-1.47.1.tar.xz

3. Disable ipv6

sed -i -e 's|^#define CONFIG_IP6_NF_IPTABLES_MODULE 1|/*#define CONFIG_IP6_NF_IPTABLES_MODULE 1*/|' /usr/src/kernels/`uname -r`/include/linux/autoconf.h

if you don’t run above command, you will see errors like below

/tmp/xtables-addons-1.47.1/extensions/compat_xtables.c: In function 'xtnu_ipv6_find_hdr':
/tmp/xtables-addons-1.47.1/extensions/compat_xtables.c:633: error: too few arguments to function 'ipv6_find_hdr'
make[4]: *** [/tmp/xtables-addons-1.47.1/extensions/compat_xtables.o] Error 1
make[3]: *** [_module_/tmp/xtables-addons-1.47.1/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/2.6.32-754.31.1.el6.x86_64'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/tmp/xtables-addons-1.47.1/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/xtables-addons-1.47.1'
make: *** [all] Error 2

4. Compile and install xtables-addons

cd xtables-addons-1.47.1
make install

5. Enable module xt_geoip

modprobe xt_geoip

6. Create directory GeoIP

mkdir /usr/share/xt_geoip/

7. Download GeoIP databases

wget -q -O - | tar -xvzf - -C /usr/share/xt_geoip

8. Create iptables rules

iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too

iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

9. IPtables persistent

To make iptables rules auto load when booting, please install iptables-services

yum install iptables

10. Save, enable autostart and restart

service iptables save
chkconfig iptables on
service iptables restart

11. Auto-update databases

Create crontab to update GeoIP databases every night

30 23 * * * wget -q -O - | tar -xvzf - -C /usr/share/xt_geoip

Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: or this one:

Now, I can only access my Zimbra from Indonesia (or Singapore).

Good Luck đŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.