If you are using CentOS 7, you can find similar guidance here: How to Block Access Based on GeoIP on CentOS 7. If you are using Ubuntu, you can find similar guidance here: How to Block Access Based on GeoIP on Ubuntu.
In this guidance, I am using CentOS 6 with kernel 2.6.32 and xtables-addons 1.47. The latest release of xtables-addons when this article was written is version 3.11. However, the kernel and iptables versions on CentOS 6 do not match the minimum requirements with the latest version. So, the version of xtables-addons that matches the kernel 2.6 is version 1.x.
1. Install dependencies
yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget xz perl
2. Download and extract xtables-addons
cd /tmp/ wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-1.47.1.tar.xz tar -xvf xtables-addons-1.47.1.tar.xz
3. Disable ipv6
sed -i -e 's|^#define CONFIG_IP6_NF_IPTABLES_MODULE 1|/*#define CONFIG_IP6_NF_IPTABLES_MODULE 1*/|' /usr/src/kernels/`uname -r`/include/linux/autoconf.h
if you don’t run above command, you will see errors like below
/tmp/xtables-addons-1.47.1/extensions/compat_xtables.c: In function 'xtnu_ipv6_find_hdr': /tmp/xtables-addons-1.47.1/extensions/compat_xtables.c:633: error: too few arguments to function 'ipv6_find_hdr' make[4]: *** [/tmp/xtables-addons-1.47.1/extensions/compat_xtables.o] Error 1 make[3]: *** [_module_/tmp/xtables-addons-1.47.1/extensions] Error 2 make[3]: Leaving directory `/usr/src/kernels/2.6.32-754.31.1.el6.x86_64' make[2]: *** [modules] Error 2 make[2]: Leaving directory `/tmp/xtables-addons-1.47.1/extensions' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/xtables-addons-1.47.1' make: *** [all] Error 2
4. Compile and install xtables-addons
cd xtables-addons-1.47.1 ./configure make make install
5. Enable module xt_geoip
modprobe xt_geoip
6. Create directory GeoIP
mkdir /usr/share/xt_geoip/
7. Download GeoIP databases
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
8. Create iptables rules
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too
iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
9. IPtables persistent
To make iptables rules auto load when booting, please install iptables-services
yum install iptables
10. Save, enable autostart and restart
service iptables save chkconfig iptables on service iptables restart
11. Auto-update databases
Create crontab to update GeoIP databases every night
30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip
Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/
Now, I can only access my Zimbra from Indonesia (or Singapore).
Good Luck đŸ™‚
Couldn’t load match `geoip’:/lib64/xtables/libipt_geoip.so: cannot open shared object file: No such file or directory
i tried above cmds but ” libipt_geoip.so ” file not created
so it give error on add rules in iptables espacially this one
” iptables -A INPUT -m geoip ! –src-cc ID,SG -p tcp -m multiport –dport
80,110,143,443,465,587,993,995,7071 -j DROP. “