Ubuntu IPTables allow only allow 1 country
So I've been looking around on the net for a script that will drop all traffic to all ports except the http(80) and https(443) ports, and then only allow traffic on all other ports from country x (where in my case country x is the US).
I don't want to add in all IPs from every country, I just want to allow ips from my country then block almost all other traffic from the outside world. No one outside of my country should have access to ssh, ftp, smtp, ect. other than myself. If this ever changes I will add a special case for it when it approaches.
Side Note
I must note that I did find a question which contains a script to ban ip by country using ip tables but that's a lot of extra inserting that I would have to do.
The script marked as the best answer will block all traffic from those IPs. I only want to block access to all ports except to 80 and 443.
Update
With the following rule,
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
would I be able to modify it and do something like
iptables -A OUTPUT -m geoip --dst-cc CN --dport 80 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN --dport 443 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
I would assume that this would allow ips from china to access port 80 and port 443 and it would drop the rest. Would this assumption be correct? If not, why not?
Update 2
After some messing around I found that my version of Ubuntu doesn't like the --dport
attribute. So instead of using that those of us running Ubuntu 14+ (at least, I only have Ubuntu 14.04, 14.10, and 15.04 installed on some machines) will have to use -p PORT_NUMBER_OR_NAME
So that would look like
iptables -A OUTPUT -m geoip --dst-cc CN -p 443 -j ACCEPT
or for incoming traffic,
iptables -A INPUT -m geoip --src-cc CN -p 443 -j ACCEPT
You will need to add the iptables support for geolocation. To do so, you'll have to follow these steps:
# apt-get install xtables-addons-common
# mkdir /usr/share/xt_geoip
# apt-get install libtext-csv-xs-perl unzip
# /usr/lib/xtables-addons/xt_geoip_dl
# /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
This will allow you to do things like:
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
That would block any outgoing traffic to China (CN). The complexity of the rules is up to you, basically you don't need a script, just write down the rules you want to apply and then use iptables-save
so they are loaded each time you reboot.