Master DevOps: Enable iptables GeoIP module(xtables-addon) to block by country on CentOS

*Warning: Unfortunately, due to this is an old version of xaddon, it only works for kernel-devel, instead of kernel-ml-devel. And obviously, on CentOS you cannot install xtables-addon 3.x which requires iptables 1.6. So until now the latest kernel version it supports is 3.10.0-957.12.2.el7.x86_64. No BBR, sorry 🙁

Start with checking kernel: uname -r

If what you see is not something like 3.10.0-957, well then: Use awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg to check the kernel list first. If there is 3.10.0-957.12.2 on the list, congrats. If not, yum update kernel first. YOU NEED 3.10.0-957.12.2, not 4.x, nor 5.x. Remember! So yum without some fancy repo enabled would be good enough.

Next: Install the required packages.
yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

Download and compile xtables-addon:
tar -xvf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14
sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild
make && make install

Then, the key step, and the step I could not find in any other tutorial (The previous solution is outdated and could not be used)
mkdir -p /usr/share/xt_geoip
wget -q -O - | tar -xvzf - -C /usr/share/xt_geoip

Now you finished the setup! Let me show you how to use it. The format is:
iptables -m geoip –src-cc country[,country…] –dst-cc country[,country…]

The country uses two-letter ISO3166 code standard. For example:
Blocking all incoming traffic from China and India: iptables -I INPUT -m geoip --src-cc IN,US -j DROP
Blocking all incoming traffic from countries except the US: iptables -I INPUT -m geoip ! --src-cc US -j DROP


Join the ConversationLeave a reply

Your email address will not be published. Required fields are marked *




This site uses Akismet to reduce spam. Learn how your comment data is processed.


  1. Thanks for manual (especially xt_TARPIT disabling hint was very useful), on CentOS 7 with kernel 3.10.0-1160.6.1 works perfectly.