Iptables GeoIP for NethServer 7

Brief instructions to add GeoIP support to iptables in NethServer 7.
Thanks to Luigi Iotti for the packages (http://www.iotti.biz/) and to opensuse for the db.

yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install
eorepo base updates extras epel nethserver-base nethserver-updates

To create firewall rules using countries, follow the howto for 6:


hmm, maybe also here it is right:

I am on 7.2 RC1 and try to install the GeoIP support. Finished with an error

ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 89)
And the shorewall stopped.

Any Solution for that?

Never tested, but you need to run the standard kernel, not the one with nDPI support (kernel-lt).

P.S. Please do not cross-post :wink:

anyone use this in NethServer release 7.3.1611 (Final)? did it work?

any further updates re geoip i keep getting heaps from china

The instruction above still applies, AFAIK.

A stable/integrated package could be deployed about this important feature?


@filippo_carletti @davide_marini do you see any drawbacks? Is it worth doing some work on it?

A little up for this feature. Which could be really useful for some kind of applications, IMVHO.

1 Like

The biggest part of the development is about a complex User Interface.
I can do all the work under the hood if an aspiring developer wants to join me.

1 Like

Could be nations, continents, ISPs just… firewall objects? IpFire behave quite like that.

Any update on getting this to work with 7.3.1611? Does not exist. Is there an alternate download?

I downloaded and installed xtables-geoip-2015.08-66.4.noarch.rpm and still no luck. I’m getting “ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules (line 72)”

modinfo xt_geoip
filename: /lib/modules/3.10.0-514.26.2.el7.x86_64/weak-updates/xtables-addons/xt_geoip.ko
alias: ipt_geoip
alias: ip6t_geoip
description: xtables module for geoip match
author: Samuel Jean
author: Nicolas Bouliane
license: GPL
rhelversion: 7.2
srcversion: 67CE5590C8BAA1B9CA961BB
vermagic: 3.10.0-327.36.2.el7.centos.plus.x86_64 SMP mod_unload modversions

modinfo xt_ndpi
modinfo: ERROR: Module xt_ndpi not found.

Thanks for your help…

AFAIK there is no other ready to use RPM.

You can try this repository (but I guess it will not work for the current kernel):

Or compile it by yourself:

1 Like


Thanks for the info… I’ll compile my own…

Let us know if it works! :wink:

@kfarmer hi, sorry for bugging you. Have you any kind of news? :slight_smile:

@pike I reply to you quoting Filippo.

@areguera @stephdl @dev_team anyone interested?

1 Like


So far I have had no luck at getting it to compile. The sticking point is the xt_TARPIT.o extension. This module is one I would definitely want to have.

“TARPIT captures and holds incoming TCP connections using no local per-connection resources.”

I’m was trying to compile with
Kernel: 3.10.0-693.2.2.el7.x86_64

I believe the issue will be Redhat Enterprise kernels have an incompatible API.

It looks like I will downgrading back to Centos 6 until 2020 when support ends.

I just reviewed my instructions on a clean system and confirmed that GeoIP works perfectly on 7.3.
I can confirm that the tarpit module doesn’t work by default with the following error:

xt_TARPIT: disagrees about version of symbol ip6_dst_hoplimit
xt_TARPIT: Unknown symbol ip6_dst_hoplimit (err -22)

I suggest you to try to centosplus kernel (I will do soon).

Updated instructions:

yum install http://repo.iotti.biz/CentOS/7/noarch/lux-release-7-1.noarch.rpm
yum install xtables-addons
yum install http://ftp.gwdg.de/pub/opensuse/tumbleweed/repo/oss/suse/noarch/xtables-geoip-2016.09-1.2.noarch.rpm
yum install -y yum-utils
yum-config-manager --disable lux
shorewall show -f capabilities > /etc/shorewall/capabilities
1 Like

The centosplus kernel has the same problem/error of the standard kernel.

I compiled a new kmod-xtables-addons and the tarpit module works as expected.
@kfarmer are you interested in testing the kmod?