making iptables more useful

I don’t remember where I got it, but there’s a script called xt_geoip_dl that facilitates downloading IP Geolocation data for use with iptables. I didn’t like some of the things the script did, so I made some modifications, namely to make it more friendly to cron updates.

To set up iptables for Debian Jessie you need to install the following:
apt-get install linux-headers-`uname -r` libtext-csv-xs-perl xtables-addons-common iptables-dev

This should create a /usr/lib/xtables-addions/xt_geoip_dl – back up that file and then replace it with my version:
--snip--

#!/bin/sh

rm -f /root/geo/Geo*
wget -P /root/geo \
http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
gzip -d /root/geo/GeoIPv6.csv.gz;
unzip /root/geo/GeoIPCountryCSV.zip;

--snip--

After that, all that’s left is to add two lines to your crontab to make sure you always have the up-to-date IP list:

@monthly /usr/lib/xtables-addons/xt_geoip_dl
@monthly /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip /root/geo/*.csv

Then you can issue iptables commands like

iptables -A INPUT -p tcp -m geoip --src-cc XX -j DROP

where ‘XX’ is a country code you want to drop traffic from.