How to Allow Only One Country in Ubuntu IPTables – Firewall Configuration

firewallhttpiptablesnetworkingssh

So I've been looking around on the net for a script that will drop all traffic to all ports except the http(80) and https(443) ports, and then only allow traffic on all other ports from country x (where in my case country x is the US).

I don't want to add in all IPs from every country, I just want to allow ips from my country then block almost all other traffic from the outside world. No one outside of my country should have access to ssh, ftp, smtp, ect. other than myself. If this ever changes I will add a special case for it when it approaches.

Side Note

I must note that I did find a question which contains a script to ban ip by country using ip tables but that's a lot of extra inserting that I would have to do.

The script marked as the best answer will block all traffic from those IPs. I only want to block access to all ports except to 80 and 443.

Update

With the following rule,

iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

would I be able to modify it and do something like 

iptables -A OUTPUT -m geoip --dst-cc CN --dport 80 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN --dport 443 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

I would assume that this would allow ips from china to access port 80 and port 443 and it would drop the rest. Would this assumption be correct? If not, why not?

Update 2

After some messing around I found that my version of Ubuntu doesn't like the --dport attribute. So instead of using that those of us running Ubuntu 14+ (at least, I only have Ubuntu 14.04, 14.10, and 15.04 installed on some machines) will have to use -p PORT_NUMBER_OR_NAME

So that would look like

iptables -A OUTPUT -m geoip --dst-cc CN -p 443 -j ACCEPT

or for incoming traffic,

iptables -A INPUT -m geoip --src-cc CN -p 443 -j ACCEPT

Best Answer

You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:

# apt-get install xtables-addons-common
# mkdir /usr/share/xt_geoip
# apt-get install libtext-csv-xs-perl unzip
# /usr/lib/xtables-addons/xt_geoip_dl
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv

This will allow you to do things like:

iptables -A OUTPUT -m geoip --dst-cc CN -j DROP

That would block any outgoing traffic to China (CN). The complexity of the rules is up to you, basically you don't need a script, just write down the rules you want to apply and then use iptables-save so they are loaded each time you reboot.

Related Question