I'm not suggesting this is the best option, but if you can't find another that works then you could "roll your own" using a downloadable GeoIP database and the ipset tool.
For example download the Geolite2 database Countries in CSV format. Download and unzip the files:
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
unzip GeoLite2-Country-CSV.zip
cd GeoLite2-Country-CSV_20190430
Find the id for France and filter all records for french networks:
grep France GeoLite2-Country-Locations-en.csv
3017382,en,EU,Europe,FR,France,1
awk -F, '$2 == 3017382 {print $1}' > french_networks.txt
Build an ipset containing french networks called france
:
ipset create france hash:net
while read network ; do
ipset add france $network;
done < french_networks.txt
Use the ipset to create an iptables
rule which drops anything not from France. Note you might need to add extra rules ensure local networks are not dropped:
iptables -A INPUT -m set ! --match-set france src -j DROP
Best Answer
I wrote a blog post on basic Iptables rules for the desktop user a long time ago and you should probably read it, and its linked article on Stateful firewall design. But pre kernel 2.6.39 (which includes
ipset
and you may want to use that for whitelisting IP's if you have more than 10 to whitelist (where 10 is arbitrary)).First handle state's that we know we want to accept or drop, and interfaces.
If you just want to do an allow by IP only, without state
you are likely to run into problems doing this though, and I suggest using state to make your life easier. For example, not allowing
-i lo
and-o lo
will certainly cause problems for certain applications.