GeoIP based IP Block on Debian Buster

셋업 절차
# have to become root
$ id
uid=0(root) gid=0(root) groups=0(root)
# install required modules
$ apt-get install xtables-addons-common libnet-cidr-lite-perl libtext-csv-xs-perl libgeoip2-perl -y

# loading kernel extension
$ modprobe xt_geoip

# if failed to load
$ apt-get install module-assistant git bc bison flex libssl-dev libncurses5-dev
$ git clone https://github.com/notro/rpi-source.git
$ cd rpi-source
$ python ./rpi-source
$ export KERNELDIRS=/root/linux
$ module-assistant --verbose --text-mode auto-install xtables-addons
$ modprobe x_tables
$ modprobe xt_geoip

# confirm
$ lsmod | grep geoip
xt_geoip 16384 5
x_tables 32768 5 xt_state,xt_geoip,ip_tables,nft_compat,xt_conntrack

# move to following location to fetch data
$ cd /usr/src/xtables-addons-3.2/geoip
$ ./xt_geoip_dl
$ ls -la
drwxr-xr-x 2 root root  4096 Jul 14 09:03 GeoLite2-Country-CSV_20190709
-rw-r--r-- 1 root root 17682 Sep 29  2018 Makefile
-rw-r--r-- 1 root root   112 Sep 29  2018 Makefile.am
-rw-r--r-- 1 root root 17169 Sep 29  2018 Makefile.in
-rwxr-xr-x 1 root root  6168 Sep 29  2018 xt_geoip_build
-rw-r--r-- 1 root root  1520 Sep 29  2018 xt_geoip_build.1
-rwxr-xr-x 1 root root   191 Sep 29  2018 xt_geoip_dl
-rw-r--r-- 1 root root   582 Sep 29  2018 xt_geoip_dl.1
-rwxr-xr-x 1 root root  2024 Sep 29  2018 xt_geoip_fetch

# prepare copy GeoIP2 db
$ mkdir -p /usr/share/xt_geoip
$ cd GeoLite2-Country-CSV_20190709
$ ../xt_geoip_build -D /usr/share/xt_geoip

# add xt_geoip kernel module to /etc/modules-load.d for automatic loading when booting
$ echo 'xt_geoip' >> /etc/modules-load.d

# initialize iptables database, then run the followings
iptables -A INPUT -m geoip --src-cc CN -j DROP
iptables -A INPUT -m geoip --src-cc HK -j DROP
iptables -A INPUT -m geoip --src-cc RU -j DROP
iptables -A INPUT -m geoip --src-cc DE -j DROP
iptables -A INPUT -m geoip --src-cc IT -j DROP
 
참조 사이트
  • https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/
  • https://malicious.link/post/2016/blocking-countries-via-iptables/