How do I allow only US IP addresses using iptables?

iptables

Solution 1:

The easiest way would be to block all traffic by default and then only allow the US ranges. I've used this website in the past to get the IP ranges of various countries. In iptables you crease an accept rule of $US_IPS and then have them defined. Just as a warning, this is a lot of IPs and could slow down your firewall depending on the hardware specs and the amount of traffic coming in due to the rule having to look through so many IPs each time. If there is some specific IPs that hit your firewall a lot, you may want to put that rule above this accept rule so it won't have to process the huge IP list each time.

https://www.countryipblocks.net/country_selection.php

Solution 2:

You should look into xtables-addons, a project that writes kernel modules for the netfilter (firewall) code that enhance/expand upon its capabilities.

One such module is xt_geoip, which can match country codes against a binary database downloaded from various sources, particularly MaxMind's GeoIPCountry database (free).

Benefits? Much, much simpler firewall rules and, depending on your setup, considerably better performance. Cost? It takes some patience and troubleshooting skills to get it working.

Once you have this module built and loaded, and the binary database stored in /usr/share/xt_geoip, you can write a single rule to accomplish your task, such as

iptables -I INPUT 1 -m geoip ! --src-cc US -j DROP

Any traffic not from the source country code of the US will be dropped (you get the idea).

This page gives an overview of the process:

https://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering

Caveat emptor: I've found the process to be very particular about kernel versions - for me, getting this working on CentOS 6 required finding and running an older (1.37) version of the module and disabling a number of features in the mconfig file before ./configure; make as they were not supported in my older distro.

Also, MaxMind (the GeoIP data vendor) has changed their files and layout around, so the scripts (even the latest version) don't work. I got things working by leveraging a public docker image containing an updated version of the data conversion script:

https://hub.docker.com/r/sander1/xtables_geoip

Note that before delving into all of this, you should check to see if xtables-addons and xt_geoip have been accepted into the kernel used by your distro. I expect that at some point, it will really be just a matter of maybe updating the data by running a script and then simply adding the rule described above.

Solution 3:

Although it might be easier to block all by default, this also means any newly assigned U.S. addresses would be blocked too unless you were diligent about keeping your tables up-to-date.

Related

Script to Create IIS Site Failing
How to compiling packages from source?
How to get extra vars java link and download it in ansible and extract it
commands in authorized_keys
MySQL SSL error: wrong version number
How do you use wazuh with cert-manager in kubernetes?
How can I mount an ISO Image in Windows 7 WinPE?
Building on top of Trapdoors in Vanilla?
How to disable a auto exec in csgo
Check for solid block (with hitbox)
Does subduing enemies give the same experience as killing them?
I accedentaily erased my level.dat file and I dont have a backup of the world [closed]