Tired of  the constant attacks  on your network services  from China
and like countries?  Me too. Here is  how you drop the  hammer on an
entire country using Geo-IP blocks with iptables.

First, install the xtables addon package, which will provide lots of
nice iptables  extension modules, among  them geoip and  tarpit, the
two we will use:

```
apt-get install xtables-addons-dkms linux-headers-amd64
```

Substitute  'amd64' for  your  own CPU  architecture.  Once that  is
installed (the  install process  includes compiling the  modules for
you), do the following to setup  a Geo-IP database that iptables can
reference:

```
mkdir /usr/share/xt_geoip/
cd /usr/share/xt_geoip/
wget http://static.wipmania.com/static/worldip.iptables.tar.gz
tar xzvf worldip.iptables.tar.gz --strip-components=2
find BE LE -type f | xargs rename 's/(..)\.iv0$/$1.iv4/'
```

Then you can delete or move worldip.iptables.tar.gz.

Using the  geoip and tarpit  extensions is  easy once that  is done,
here is  an example that blocks  all TCP and UDP  traffic from China
and Russia, using the TARPIT target for the TCP traffic.

```
iptables -A INPUT -p tcp -m geoip --src-cc CN,RU -j TARPIT
iptables -A INPUT -p udp -m geoip --src-cc CN,RU -j DROP
```

I would put these rules at the top of my iptables firewall script or
ruleset spec. As a one-off manual  rule addition from the shell, use
'-I' instead of '-A',  to force the rules to be  inserted at the top
of the INPUT chain.

Note the  tarpit extension can  only be  used with the  TCP protocol
(hence the -p tcp, above). You can use 'iptables -L -nvx' to see how
many packets and the total bytes that have been dropped or tarpitted
by  the rules.  On my  own  server, I  have the  rules separated  by
country, so the byte and packet counters for each are separate.

Also, you don't have  to use the tarpit extension, but  I like it as
it slows the source connections down, forcing them to timeout rather
than being dropped or rejected immediately.

```
root@nix1:/var/log# iptables -L -nvx
    pkts      bytes target     prot opt in     out     source               destination
...
   44032  1806261 TARPIT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN  -j TARPIT --tarpit
    3992   163868 TARPIT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country RU  -j TARPIT --tarpit
   12243   517021 TARPIT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country IR  -j TARPIT --tarpit
     361   131089 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN,RU,IR
```

It's amazing the constant stream of attacks from these countries. My
own server  is used for personal  email, so I have  saslauth enabled
which  is the  target for  most  of the  attacks  (I run  sshd on  a
non-standard port, this keeps away almost all attacks on it).

Before I enabled the Geo-IP blocks, I was using fail2ban, configured
to send emails with a whois output every time an IP was blocked, and
getting dozens of emails per day. Now I get just a few.