For those of us running servers with nftables it was great news to discover that pvxe/nftables-geoip now has the ability to generate IP lists by country. This feature can be used to, for instance, drop all traffic from specific countries or, the opposite – allow traffic only from your own country.

Blocking or allowing traffic from a specific country has always been possible however it would require you to load the entire GeoIP database containing multiple gigabytes of data causing high RAM usage. This new feature allows you to specify countries reducing the output file size considerably. Here’s how to use it:

Add an optional parameter to specify a list of countries from the
location file (usually location.csv). The corresponding ipv4 and ipv6
subsets are written to additional files with "-interesting" suffix.

For example, to generate a subset of geoip sets only matching Spain,
France and Portugal addresses:

	$ ./nft_geoip.py -c es,fr,pt [...]
	[...]
	Found countries:  {'france': 'fr', 'portugal': 'pt', 'spain': 'es'}
	Writing interesting countries file...
	Done!

	$ ls -lah *-interesting.nft
	-rw-r--r-- ... geoip-ipv4-interesting.nft
	-rw-r--r-- ... geoip-ipv6-interesting.nft

The whole set geoip files are still generated.

You can then use the generated files in nftables as described on the following articles:

• https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching
• https://www.mybluelinux.com/nftables-and-geoip

Tip: change the include line to whatever you’ve generated with pvxe/nftables-geoip.

Note that configuring a firewall with GeoIP blocks isn’t a fix everything! It’s just an extra layer of protection you may add to some services such as a management-only VPN. Other solutions such as Fail2ban should be employed as well for proper security.