Next Previous Contents

3. Examples

If you want to block all Anonymous Proxies and Satellite Providers, you can enter something like that: (I assume that your linux box acts as a router, else you can provide `-A INPUT' instead.)

   #> iptables -A FORWARD -m geoip --src-cc A1,A2 -j DROP

If you only plan to accept connections from your country.

   #> iptables -P INPUT DROP
   #> iptables -A INPUT -m geoip ! --src-cc CA -j DROP

Some people likes to know which countries are hitting obscure or well-known security risk ports.

Create a dedicated accounting custom chain

   #> iptables -N SSH_GEOIP

Feed that chain with your targeted countries (below are for exemple means only)

   #> iptables -A SSH_GEOIP -m geoip --src-cc CA   
   #> iptables -A SSH_GEOIP -m geoip --src-cc DE
   #> iptables -A SSH_GEOIP -m geoip --src-cc US
   #> iptables -A SSH_GEOIP -m geoip --src-cc JP
   #> iptables -A SSH_GEOIP -m geoip --src-cc FR

The sixth rule will match all other countries

   #> iptables -A SSH_GEOIP -m geoip ! --src-cc CA,DE,US,JP,FR

Then call the chain for a specific situation

   #> iptables -A INPUT -p tcp --dport 22 -j SSH_GEOIP

Next Previous Contents