Iptables to allow traffic from one country only

firewalliptables

I would like to allow traffic from one country only.

I have seen and read online multiple ways, but most of them are outdated (with Xtables-addons),
and the other half show how to blacklist IPs that one dose not like.

However this is a wrong approach, to black list everything one by one.
A better approach will be to do a white list so everything beside that white list will be blocked.

I am in France; I want to allow only french clients/users to access the server.

The iptables rule I have inplace is

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination xx.xx.xx.xx:80

just forwarding traffic.

Best Answer

I'm not suggesting this is the best option, but if you can't find another that works then you could "roll your own" using a downloadable GeoIP database and the ipset tool.

For example download the Geolite2 database Countries in CSV format. Download and unzip the files:

wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
unzip GeoLite2-Country-CSV.zip
cd GeoLite2-Country-CSV_20190430

Find the id for France and filter all records for french networks:

grep France GeoLite2-Country-Locations-en.csv
3017382,en,EU,Europe,FR,France,1

awk -F, '$2 == 3017382 {print $1}' > french_networks.txt

Build an ipset containing french networks called france:

ipset create france hash:net
while read network ; do 
    ipset add france $network; 
done < french_networks.txt

Use the ipset to create an iptables rule which drops anything not from France. Note you might need to add extra rules ensure local networks are not dropped:

iptables -A INPUT -m set ! --match-set france src -j DROP

Related Solutions

Iptables Firewall – How to Allow Only Specific Application/User with iptables/pf

here's the iptables command to allow for a certain uid through a certain port.

iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT

from the man page

[!] --uid-owner userid[-userid] Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

as far as virtualbox.. I believe it runs its own kernel... so you might want to use the --uid-owner of virtualbox on the host OS, but then have a --uid-owner owner rule on the virtual machine as well.

It might also be useful to note that --gid-owner also exists, and you could create a group browser and sgid your browser apps so it runs with an effective group browser and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.

Iptables: how to allow traffic from redirected port

When User HIT Port 80 Then in iptables it's first check NAT PREROUTING Table then it's checks FILTER Tables, So as per your scenario you need to allow Port 8080 in Filter INPUT chain.

See below Example:

In Filter Table :

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT

In Nat Table :

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

Above rules is tested with Filter INPUT Policy Drop and it's working.

For Tables Sequence is Below :

Mangle PREROUTING
Nat PREROUTING
mangle INPUT
Filter INPUT

For more details check this page.

Best Answer

Related Solutions

Iptables Firewall – How to Allow Only Specific Application/User with iptables/pf

Iptables: how to allow traffic from redirected port

Related Question