10
5
So I've been looking around on the net for a script that will drop all traffic to all ports except the http(80) and https(443) ports, and then only allow traffic on all other ports from country x (where in my case country x is the US).
I don't want to add in all IPs from every country, I just want to allow ips from my country then block almost all other traffic from the outside world. No one outside of my country should have access to ssh, ftp, smtp, ect. other than myself. If this ever changes I will add a special case for it when it approaches.
Side Note
I must note that I did find a question which contains a script to ban ip by country using ip tables but that's a lot of extra inserting that I would have to do.
The script marked as the best answer will block all traffic from those IPs. I only want to block access to all ports except to 80 and 443.
Update
With the following rule,
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
would I be able to modify it and do something like
iptables -A OUTPUT -m geoip --dst-cc CN --dport 80 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN --dport 443 -j ACCEPT
iptables -A OUTPUT -m geoip --dst-cc CN -j DROP
I would assume that this would allow ips from china to access port 80 and port 443 and it would drop the rest. Would this assumption be correct? If not, why not?
Update 2
After some messing around I found that my version of Ubuntu doesn't like the --dport
attribute. So instead of using that those of us running Ubuntu 14+ (at least, I only have Ubuntu 14.04, 14.10, and 15.04 installed on some machines) will have to use -p PORT_NUMBER_OR_NAME
So that would look like
iptables -A OUTPUT -m geoip --dst-cc CN -p 443 -j ACCEPT
or for incoming traffic,
iptables -A INPUT -m geoip --src-cc CN -p 443 -j ACCEPT
Thank you! I do have another question, I updated my question above to reflect it. Would you happen to know the answer to it? – Austin Kregel – 2015-11-05T17:24:05.110
The rule would work but you have to change the direction of it, now it is
OUTPUT
and you'd need to set it toINPUT
and not use--dst-cc
but--src-cc
instead. But if the question is if it should work in combination of any other existingiptables
rule, the answer is yes. – nKn – 2015-11-05T17:29:11.093the
xt_geoip_dl
command no longer works, it requires a zip that doesnt exists anymore – Martijn – 2019-04-19T13:28:57.693