Since iptables are deprecated and most Linux distributions now supports nftables, I have added nftables format to my country IP lists. This lists can be used to block specified country or allow services from some country using nftables.
Lets see example how to easy allow ssh only from SK and CZ:
At first let’s download SK & CZ ip ranges in nftables format to /etc/nftables/
mkdir /etc/nftables wget -q https://www.iwik.org/ipcountry/nft/SK -O /etc/nftables/SK.nft wget -q https://www.iwik.org/ipcountry/nft/CZ -O /etc/nftables/CZ.nft
This files looks like this
add table inet GEOIP
add set inet GEOIP SK { type ipv4_addr; flags interval; }
add element inet GEOIP SK { 2.57.64.0/22 }
add element inet GEOIP SK { 5.22.154.0/24 }
...
This will create set named by country code in table named GEOIP (which will be created if not exists)
Now we can use them in /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
# include our downloaded rules
include "/etc/nftables/*.nft"
table inet GEOIP {
chain input {
type filter hook input priority 0;
ct state established,related accept
iifname lo accept
icmp type echo-request accept
# allow for SK and CZ
tcp dport 22 ip saddr @SK accept
tcp dport 22 ip saddr @CZ accept
# drop rest to port 22
tcp dport 22 drop
}
}
Now apply with
nft -f /etc/nftables.conf
Simple, isn’t it?
Interested where this ranges come from and how often are updated? See more here.