Posted by In this guide, I am using Rocky Linux 8 with kernel 4.18 and xtables-addons 3.27. As an example, this applies to an environment where Zimbra is being used.
1. Install dependencies
yum install gcc gcc-c++ kernel-modules kernel-core kernel-headers kernel-devel perl-Net-CIDR-Lite perl-Text-CSV_XS elfutils-libelf-devel iptables-services
2. Download and extract xtables-addons
cd /tmp/ wget -c https://inai.de/files/xtables-addons/xtables-addons-3.27.tar.xz tar -xvf xtables-addons-3.27.tar.xz
3. Remove all obj-$ extension except xt_geoip
Because I only need GeoIP, I have removed the other extensions.
cd xtables-addons-3.27 vi extensions/Kbuild
Please see the example below
[root@localhost xtables-addons-3.27]# cat extensions/Kbuild
# -*- Makefile -*-
include ${XA_ABSTOPSRCDIR}/mconfig
-include ${XA_ABSTOPSRCDIR}/mconfig.*
obj-m += compat_xtables.o
obj-${build_geoip} += xt_geoip.o
-include ${M}/*.Kbuild
-include ${M}/Kbuild.*
4. Compile and install xtables-addons
./configure make make install
If you encounter a problem during compilation, please make sure UEFI is disabled. You can check it with the following command.
sudo mokutil --sb-state
Example output
[root@localhost xt_geoip]# sudo mokutil --sb-state EFI variables are not supported on this system
If you are using VMware, you can follow this guide to disable UEFI: https://knowledge.broadcom.com/external/article/377377/enable-or-disable-uefi-secure-boot-for-a.html
5. Enable module xt_geoip
modprobe xt_geoip
6. Create account on https://www.maxmind.com
After creating an account on maxmind.com, go to Manage License Keys and generate a new license key. Save the Account ID and License Key to download GeoIP in the next step.
7. Create GeoIP directory
mkdir /usr/share/xt_geoip/
8. Download GeoIP databases
cd /usr/share/xt_geoip/ wget -q -OGeoLite2-Country-CSV.zip "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=INSERT-LICENSE-KEY-FROM-MAXMIND&suffix=zip" unzip GeoLite2-Country-CSV.zip cp GeoLite2-Country-CSV*/GeoLite2-Country-Blocks-IPv4.csv /usr/share/xt_geoip/ wget -O dbip-country-lite.csv.gz "https://download.db-ip.com/free/dbip-country-lite-$(date +'%Y-%m').csv.gz" gunzip dbip-country-lite.csv.gz
Note: Please change INSERT-LICENSE-KEY-FROM-MAXMIND
9. Compile GeoIP database
/tmp/xtables-addons-3.27/geoip/xt_geoip_build -D /usr/share/xt_geoip/ GeoLite2-Country-Blocks-IPv4.csv
10. Create iptables rules
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too
iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP
11. Iptables persistent
To make iptables rules auto load when booting, please install iptables-services
yum install iptables-services
12. Save, enable autostart and restart
service iptables save systemctl enable iptables systemctl restart iptables
Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/
At the moment, my Zimbra is only accessible from Indonesia (or Singapore).
Good Luck 