There's some minor steps to go through before using this match.
In order to efficiently filter on a country basis, we obviously need a subnet-to-country database. Fortunately, there's a free one available at http://www.maxmind.com.
However, this database is big and unsorted. Loading this database into memory would eat up too much ressources than what we really need. Also, seeking through unsorted database takes ages. This is why you need a tool called 'csv2bin' to strip, sort and compile your database.
csv2bin is available at http://people.netfilter.org/peejix/geoip/tools/
An alternative to creating your own up-to-date database is downloading a prebuilt but possibly outdated database from http://people.netfilter.org/peejix/geoip/database/.
You'll now have to copy `geoipdb.bin' and its index file `geoipdb.idx' into /var/geoip/. The reason on why we do this is that iptables's geoip shared library is statically reading both files from that path. If you ever need to change that path, take a look at extensions/libipt_geoip.c and suit it for your needs.
Just like other "official" patches, geoip is part of patch-o-matic-ng. As a new match, we've put it into Testing state and Extra repository, so start 'runme' accordingly.
#> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
#> cd patch-o-matic-ng
#> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
Do not forget to :
o recompile iptables;
o enable geoip into your kernel config;
o recompile your kernel or compile geoip as a module;
o boot the new kernel or modprobe ipt_geoip.
NOTE: If you had to change the database path into libipt_geoip.c, you MUST do it before compiling.