Geo-Filtering IP Addresses by Country Code


#1

Greetings community. A question :

In OpenWRT, is there an effective means of implementing firewall rules to provide IP endpoint geo-filtering? In other words, block access from or to IP ranges that match specific IANA defined country codes?

For example, a Firewall rule might read:

config rule
        option src wan
        option dest lan
        option proto udp
        option ip_doom /hotlists/Badlands
        option target REJECT

Badlands is the filter file containing the IANA defined country codes. The local Firewall maps country codes in the filter list to IP address ranges in a downloaded IP-to-country file or, directly reading a Geolocation service.

Any thoughts?


#2

#3

Your can utilize the geoip iptables feature (iptables-mod-geoip). Below is what I utilize on my Sophos UTM.

iptables  -N  GEOIP_OUT
iptables  -N  GEOIP_REJ

iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  AI,AG,AW,BS,BB,BZ,BM,CA,KY,CR,GL,GD,GP,MQ,MX        -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  MS,NI,PA,PR,BL,KN,LC,MF,PM,VC,TT,TC,US,VG,VI        -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  AX,AL,AD,AT,BY,BE,BG,DK,EE,FO,FI,FR,DE,GI,GB        -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  GR,GG,VA,HU,IS,IE,IM,IT,JE,LV,LI,LT,LU,MK,MT        -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  MC,ME,NL,NO,PL,PT,SM,ES,SJ,SE,CH                    -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  AS,AU,CK,FJ,GU,KI,MH,FM,NR,NC,NZ,NU,NF,MP,PW        -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  PG,PN,PF,WS,SB,TK,TO,TV,UM,VU,WF                    -j RETURN
iptables  -A  GEOIP_OUT   -d 192.168.1.0/24   -m  geoip   --source-country  AQ,BV,TF,HM,GS                                      -j RETURN

iptables  -A  GEOIP_OUT                                                                                       -c  0     0       -j RETURN
iptables  -A  GEOIP_OUT   -p  tcp             -m  tcp     --sport 1024:65535                --dport   53      -c  0     0       -j RETURN
iptables  -A  GEOIP_OUT   -p  udp             -m  udp     --sport 1024:65535                --dport   53      -c  297   23962   -j RETURN
iptables  -A  GEOIP_OUT   -p  tcp             -m  tcp     --sport 1:65535     -m  multiport --dports  80,443  -c  22    1264    -j RETURN

iptables  -A  GEOIP_REJ                       -m  limit   --limit 1/sec       -m  logmark   --logmark 60019   -c  0     0       -j NFLOG    --nflog-prefix  "GEOIP_DROP: "
iptables  -A  GEOIP_REJ   -p  tcp                                                                             -c  0     0       -j REJECT   --reject-with   tcp-reset
iptables  -A  GEOIP_REJ                                                                                       -c  0     0       -j REJECT   --reject-with   icmp-port-unreachable


#4

Thanks all.

@vgaetera thankyou for pointing me in the direction of the banIP project. I'll have an in-depth look at this soon.

@JW0914 also thanks for pointing me in the direction of iptables-mod-geoip. Any man page for iptables-mod-geoip? I assume Sophos runs the IP2Country mapping service as part of their subscription?

On the subject of data sources, a few years ago I built in C# an IP to Country database using location codes farmed from an online source similar to that provided by ip2location.com. The numeric IP address-range to ISO country code table was optimised to minimise the processing lag.

FYI I note ip2location provide free IPV4 and IPV6 range to country datasets:
ip2location.com LITE-DB downloads


#5

banIP is using RIPE data sources (JSON format) for IPv4 & IPv6, e.g. for Germany ...
https://stat.ripe.net/data/country-resource-list/data.json?resource=DE


closed #6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.