Manually set GeoIP blocking firewall rule


will this command successfully block country US from accessing the red interface:

iptables -I INPUT -m geoip --src-cc US -j DROP

Is there any further action necessary? Or will this rule be active immediately?
And will this command allow the traffic from US?

iptables -D INPUT -m geoip --src-cc US -j DROP

I would like to open the firewall for country US prior to updating a Let’s Encrypt certificate and close the firewall right after.


Possibly related: bug #12025

It was more a question and not related to a possible bug :stuck_out_tongue_winking_eye:
Moreover It was not linked to IPSec nor to OpenVPN…


It was more a question and not related to a possible bug :stuck_out_tongue_winking_eye:

yes, the mentioned bug is more a feature request, too. :wink:

If I fully understood your problem, you are trying to limit connections coming from the internet (RED) to your IPFire machine to certain countries. This is precisely what bug #12025 is about, since ports for IPsec and OpenVPN are always opened up for the whole internet. While this is more user-friendly, it requires manual changes to firewall.local.

If I am mistaken: Why does adding a firewall rule via the web interface not work for you?

Thanks, and best regards,
Peter Müller

I’ve blocked almost every country besides Germany. However, when Dehydrated tries to update the LE certifications on IPFire, it contacts an US server. Wait - it’s the other way round: it initiates a request to port 80 from outside (using http-01 mode) on IPFire coming from an US IP-address. That access gets blocked of course.

The update of the Let’s Encrypt cert starts once each month. Since I would like to have US blocked all time, I would like to allow the country during the LE verfication/update process.
This is done via a cron job, as bash script to be precisely, and this script should open the firewall for country US and close it again after the update process.

That’s why I’ve asked fo the correct command lines for allowing and closing US :smile:

OK, the correct command is

iptables -D GEOIPBLOCK -m geoip --src-cc US -j DROP


iptables -I GEOIPBLOCK -m geoip --src-cc US -j DROP

So solved for me now!

I see, thanks for explaining that. :slight_smile: