nftables GeoIP Setup Questions #57

vdias · 2025-07-18T20:58:36Z

vdias
Jul 18, 2025

Where are all the configuration (*.nft) files stored?

Are the rules automatically imported and applied after a reboot?

This is my main nft file, which already includes some prerouting rules. Will they coexist without conflict?

#!/usr/sbin/nft -f

# Includes MANGLE TABLE
include "/etc/nftables/includes/drop_nolog.nft"

# Includes FILTER TABLE
include "/etc/nftables/includes/SafeZone.nft"

# Includes IPsum Level 4 List
include "/etc/nftables/includes/ipsum.nft"

# --------- MANGLE TABLE ---------
table inet mangle {
    chain prerouting {
        type filter hook prerouting priority -300; policy accept;

        # Drop silently before anything else
        ip saddr @drop_nolog counter drop

        # Drop silently before anything else
        ip saddr @ipsum counter drop
    }
}

# --------- FILTER TABLE ---------
table inet filter {

    chain input {
        type filter hook input priority 0; policy drop;

        # Accept loopback traffic
        iif lo accept

        # Accept established and related connections
        ct state established,related accept

        # SSH from trusted IPs (/etc/nftables/includes/SafeZone.nft)
        ip saddr @home_ip tcp dport 22 accept
        ip saddr @work_ip tcp dport 22 accept

        # Ping from trusted IPs (/etc/nftables/includes/SafeZone.nft)
        ip saddr @home_ip icmp type echo-request accept
        ip saddr @work_ip icmp type echo-request accept

        # Drop invalid packets
        ct state invalid drop

        # Log and drop the rest
        log prefix "nft INPUT drop: " counter drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Accept established and related connections
        ct state established,related accept

        # Log and drop the rest
        log prefix "nft FORWARD drop: " counter drop
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

friendly-bits · 2025-07-18T22:23:32Z

friendly-bits
Jul 18, 2025
Maintainer

Hi, geoip-shell does not store any nft files. Rules are generated programmatically, depending on user config. You can see the code here.

By default, geoip-shell enables geoblocking persistence across reboots. This is achieved via an init script and a firewall include on OpenWrt, and via a cron job on all other systems.

And yes, geoip-shell in principle has about 0 potential to create rules which would interfere with any other pre-existing rules, except if pre-existing rules implement geoblocking as well. As long as you configure geoip-shell sensibly, you should have no problems.

You can read more about the rules created by geoip-shell here.

0 replies

vdias · 2025-07-25T16:28:02Z

vdias
Jul 25, 2025
Author

Apologies if this is a basic question, but:

What is the recommended source for IP country lists?

I intend to block the following countries: CN, RU, IN, BR, VN, IR, ID, NG.

Does the default RIPE data source include all of them, or is it necessary to use additional RIRs?

Just tried the IPdeny and MaxMind sources and get a error...

fetch: Error: SSL support is required to use the IPDENY source but no utility with SSL support is available.
fetch: Error: SSL support is required to use the MAXMIND source but no utility with SSL support is available.

8 replies

friendly-bits Jul 25, 2025
Maintainer

If you are asking about logging of accepted and denied packets then currently no. geoip-shell does write to system log during the automatic list updates.

vdias Jul 25, 2025
Author

I asked about the logs because I feel something is not correct.

My main nft:

#!/usr/sbin/nft -f

# Includes MANGLE TABLE
include "/etc/nftables/includes/drop_nolog.nft"

# Includes FILTER TABLE
include "/etc/nftables/includes/SafeZone.nft"

# --------- MANGLE TABLE ---------
table inet mangle {
    chain prerouting {
        type filter hook prerouting priority -300; policy accept;

        # Drop silently before anything else
        ip saddr @drop_nolog counter drop
    }
}

# --------- FILTER TABLE ---------
table inet filter {

    chain input {
        type filter hook input priority 0; policy drop;

        # Accept loopback traffic
        iif lo accept

        # Accept established and related connections
        ct state established,related accept

        # SSH from trusted IPs (/etc/nftables/includes/SafeZone.nft)
        ip saddr @home_ip tcp dport 22 accept
        ip saddr @work_ip tcp dport 22 accept

        # Ping from trusted IPs (/etc/nftables/includes/SafeZone.nft)
        ip saddr @home_ip icmp type echo-request accept
        ip saddr @work_ip icmp type echo-request accept

        # Drop invalid packets
        ct state invalid drop

        # Log and drop the rest
        log prefix "nft INPUT drop: " counter drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Accept established and related connections
        ct state established,related accept

        # Log and drop the rest
        log prefix "nft FORWARD drop: " counter drop
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Using your solution with the CN, RU, IN, BR, VN, IR, ID, and NG lists, I see no hits after several hours. My server is hosted on a well-known public cloud provider.

                ip saddr @local_block_4 counter packets 12 bytes 496 drop comment "geoip-shell"
                ip saddr @CN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @CN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @RU_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @RU_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @IN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @BR_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @BR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @VN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @VN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IR_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @IR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @ID_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @ID_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @NG_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @NG_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"

friendly-bits Jul 25, 2025
Maintainer

Please show me the output of:

geoip-shell status
nft -t list table inet geoip-shell

(Redact sensitive data if needed)

Also you could try to use VPN and see whether the machine is accessible from one of the blocked countries.

vdias Jul 25, 2025
Author

geoip-shell v0.7.4 status:

Firewall backend: nftables
IP lists source: maxmind
Geoblocking rules applied to network interfaces: all
nftables sets optimization policy: performance

Cron system service: ✔
Update cron job: ✔
Update schedule: '30 4 * * *'
Last successful update: Jul-25-2025 19:53:23
Persistence cron job: ✔
Automatic backup of IP lists: On

Active local IP lists: local_block_ipv4

inbound geoblocking:
  Mode: blacklist
  Country codes: CN RU IN BR VN IR ID NG ✔
  IP families: ipv4 ipv6 ✔

  Allowed IPs (includes link-local IPs, trusted IPs, LAN IPs):
  ipv4: None
  ipv6: None

  Protocols:
  tcp: Geoblocking all destination ports
  udp: Geoblocking all destination ports

  Geoblocking firewall chain: enabled ✔

outbound geoblocking:
  Mode: disable

No problems detected.

table inet geoip-shell {
        set CN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set CN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set RU_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set RU_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set IN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set IN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set BR_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set BR_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set VN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set VN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set IR_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set IR_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set ID_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set ID_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set NG_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set NG_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set local_block_4 {
                type ipv4_addr
        }

        chain GEOIP-SHELL_BASE_IN {
                type filter hook prerouting priority mangle + 9; policy accept;
                jump GEOIP-SHELL_IN comment "geoip-shell_enable"
        }

        chain GEOIP-SHELL_IN {
                ct state established,related accept comment "geoip-shell_aux_est-rel"
                ip saddr @local_block_4 counter packets 14 bytes 576 drop comment "geoip-shell"
                ip saddr @CN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @CN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @RU_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @RU_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @IN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @BR_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @BR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @VN_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @VN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IR_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @IR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @ID_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @ID_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @NG_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @NG_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
        }
}

friendly-bits Jul 25, 2025
Maintainer

Looks fine. Counters are at 0 because no connection attempts from blocked countries have been made. You can verify using a VPN as I suggested above.

friendly-bits · 2025-07-27T12:12:08Z

friendly-bits
Jul 27, 2025
Maintainer

Hi @vdias, did you verify that geoblocking is working correctly? I would appreciate an update on this. Also in the meantime it occurred to me that you may have other nftables rules in place with higher priority than rules created by geoip-shell, which potentially prevent packets from reaching geoip-shell rules. If you still have 0 in all counters, I would suggest to check all existing rule using the command nft -t list ruleset

0 replies

vdias · 2025-07-27T13:00:01Z

vdias
Jul 27, 2025
Author

Yes, I’ve started to see some hits, lower than expected, but there are some nonetheless.

sudo nft list table inet geoip-shell | grep 'counter packets'
                ip saddr @local_block_4 counter packets 128 bytes 5631 drop comment "geoip-shell"
                ip saddr @CN_4_2025-07-25 counter packets 7 bytes 330 drop comment "geoip-shell"
                ip6 saddr @CN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @RU_4_2025-07-25 counter packets 2 bytes 80 drop comment "geoip-shell"
                ip6 saddr @RU_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IN_4_2025-07-25 counter packets 3 bytes 164 drop comment "geoip-shell"
                ip6 saddr @IN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @BR_4_2025-07-25 counter packets 1 bytes 40 drop comment "geoip-shell"
                ip6 saddr @BR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @VN_4_2025-07-25 counter packets 1 bytes 44 drop comment "geoip-shell"
                ip6 saddr @VN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IR_4_2025-07-25 counter packets 3 bytes 128 drop comment "geoip-shell"
                ip6 saddr @IR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @ID_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @ID_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @NG_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @NG_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"

table inet geoip-shell {
        set CN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set CN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set RU_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set RU_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set IN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set IN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set BR_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set BR_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set VN_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set VN_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set IR_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set IR_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set ID_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set ID_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set NG_4_2025-07-25 {
                type ipv4_addr
                flags interval
                auto-merge
        }

        set NG_6_2025-07-25 {
                type ipv6_addr
                flags interval
                auto-merge
        }

        set local_block_4 {
                type ipv4_addr
        }

        chain GEOIP-SHELL_BASE_IN {
                type filter hook prerouting priority mangle + 9; policy accept;
                jump GEOIP-SHELL_IN comment "geoip-shell_enable"
        }

        chain GEOIP-SHELL_IN {
                ct state established,related accept comment "geoip-shell_aux_est-rel"
                ip saddr @local_block_4 counter packets 128 bytes 5631 drop comment "geoip-shell"
                ip saddr @CN_4_2025-07-25 counter packets 7 bytes 330 drop comment "geoip-shell"
                ip6 saddr @CN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @RU_4_2025-07-25 counter packets 2 bytes 80 drop comment "geoip-shell"
                ip6 saddr @RU_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IN_4_2025-07-25 counter packets 3 bytes 164 drop comment "geoip-shell"
                ip6 saddr @IN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @BR_4_2025-07-25 counter packets 1 bytes 40 drop comment "geoip-shell"
                ip6 saddr @BR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @VN_4_2025-07-25 counter packets 1 bytes 44 drop comment "geoip-shell"
                ip6 saddr @VN_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @IR_4_2025-07-25 counter packets 3 bytes 128 drop comment "geoip-shell"
                ip6 saddr @IR_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @ID_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @ID_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip saddr @NG_4_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
                ip6 saddr @NG_6_2025-07-25 counter packets 0 bytes 0 drop comment "geoip-shell"
        }
}
table inet mangle {
        set drop_nolog {
                type ipv4_addr
                flags interval
        }

        chain prerouting {
                type filter hook prerouting priority raw; policy accept;
                ip saddr @drop_nolog counter packets 1074 bytes 373752 drop
        }
}
table inet filter {
        set home_ip {
                type ipv4_addr
        }

        set work_ip {
                type ipv4_addr
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iif "lo" accept
                ct state established,related accept
                ip saddr @home_ip tcp dport 22 accept
                ip saddr @work_ip tcp dport 22 accept
                ip saddr @home_ip icmp type echo-request accept
                ip saddr @work_ip icmp type echo-request accept
                ct state invalid drop
                log prefix "nft INPUT drop: " counter packets 3989 bytes 365792 drop
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept
                log prefix "nft FORWARD drop: " counter packets 0 bytes 0 drop
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 408 bytes 20228 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority dstnat; policy accept;
                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
        }
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain DOCKER {
                iifname != "docker0" oifname "docker0" counter packets 0 bytes 0 drop
        }

        chain DOCKER-FORWARD {
                counter packets 0 bytes 0 jump DOCKER-CT
                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
                counter packets 0 bytes 0 jump DOCKER-BRIDGE
                iifname "docker0" counter packets 0 bytes 0 accept
        }

        chain DOCKER-BRIDGE {
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
        }

        chain DOCKER-CT {
                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 0 bytes 0 jump DOCKER-USER
                counter packets 0 bytes 0 jump DOCKER-FORWARD
        }

        chain DOCKER-USER {
        }
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
        chain DOCKER {
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 652 bytes 88272 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority dstnat; policy accept;
                ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }
}
table ip6 filter {
        chain DOCKER {
        }

        chain DOCKER-FORWARD {
                counter packets 0 bytes 0 jump DOCKER-CT
                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
                counter packets 0 bytes 0 jump DOCKER-BRIDGE
        }

        chain DOCKER-BRIDGE {
        }

        chain DOCKER-CT {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
        }

        chain DOCKER-ISOLATION-STAGE-2 {
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 jump DOCKER-USER
                counter packets 0 bytes 0 jump DOCKER-FORWARD
        }

        chain DOCKER-USER {
        }
}
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
        }
}

Just a quick suggestion, my local_block_4 set is populated with the IPsum Level 4 list, which I download daily at 4 AM and load using your script as a local blocklist.

Thought I’d mention it in case you're considering adding additional security features to geoip-shell. There are several IP blacklist projects out there you might consider integrating; IPsum is a good example: https://github.com/stamparm/ipsum

Also, a big thanks for this project and your quick support, geoip-shell is exactly the kind of efficient, no-nonsense tool I was looking for.

Great work!!!

7 replies

friendly-bits Jul 27, 2025
Maintainer

IPsum Level 4 list, which I download daily at 4 AM and load using your script as a local blocklist.

Note that the command geoip-shell configure -[A|B] <file> imports new addresses included in the file which have not been imported previously. It does not remove any previously imported addresses. If you want the geoip-shell local blocklist to exactly match the list you downloaded from IPsum, you should use the command geoip-shell configure -B remove before importing the updated local blocklist.

in case you're considering adding additional security features to geoip-shell

Currently I am not planning to transform geoip-shell into a universal blocker as this would require some very large changes to the code. Maybe in the future. Thank you for the suggestion.

Also, a big thanks for this project and your quick support, geoip-shell is exactly the kind of efficient, no-nonsense tool I was looking for.

Great work!!!

This always nice to hear. Thank you!

friendly-bits Jul 27, 2025
Maintainer

Deny all countries by default and allow only one. Since I only ever connect from a single country on a daily basis, it might simplify the rule set and tighten security even further.

This is definitely a good idea if you do not need to allow connections from other countries. This is what the whitelist mode is for. You may also want to consider configuring geoip-shell to only geoblock on the specific WAN network interface if the machine has one.

vdias Jul 27, 2025
Author

So, if I whitelist just one country, does that mean all other countries will be automatically blocked? I'm a bit unclear on how that logic works.

Note that the command geoip-shell configure -[A|B] imports new addresses included in the file which have not been imported previously. It does not remove any previously imported addresses. If you want the geoip-shell local blocklist to exactly match the list you downloaded from IPsum, you should use the command geoip-shell configure -B remove before importing the updated local blocklist.

Also, I have a .txt file on my system that’s updated daily. I used the configure B file command, and I assumed the daily geoip-shell update via the crontab would load it with the current file content. But now I’m not sure if that's actually happening.

What’s the proper way to automate this, so that geoip-shell refreshes the file contents every day based on the latest version?

friendly-bits Jul 27, 2025
Maintainer

if I whitelist just one country, does that mean all other countries will be automatically blocked?

Whitelist mode means that everything is blocked by default, and only what is explicitly allowed will not be blocked. Note that whitelist mode blocks any and all connections to the machine, including from local network. For this reason I recommended you to configure geoip-shell to only geoblock on the dedicated WAN network interface. If the machine does not have a dedicated WAN network interface and you configure geoip-shell to geoblock on all network interface (as this is you configured now), once you configure geoip-shell to work in whitelist mode, it will suggest to add LAN IP ranges to the whitelist in order to unblock them. In a complex configuration, you may need to add additional IP ranges to trusted networks using the geoip-shell configure -t <"IPs"> command. All of that is unnecessary if you configure geoip-shell to only geoblock on the dedicated WAN network interface if this machine has one.

Also, I have a .txt file on my system that’s updated daily. I used the configure B file command, and I assumed the daily geoip-shell update via the crontab would load it with the current file content.

This is not what geoip-shell is doing. When you issue the command:

geoip-shell configure -B <file>

geoip-shell imports any IPs or IP ranges from that file into a file in the /var/lib/geoip-shell directory. geoip-shell never updates that file on its own. If you issue another geoip-shell configure -B <file> command, geoip-shell imports any new addresses included in <file>. If you want to regularly update your local list, the simplest way is create a script like this and save it as /usr/bin/ipsum-update.sh:

#!/bin/sh

FETCHED_FILE="" # add path to fetched file here

# replace this line with a command which would fetch the list and write it to $FETCHED_FILE

[ -s "$FETCHED_FILE" ] ||
    { logger -t ipsum-update -p user.err "Error: file '$FETCHED_FILE' is empty or does not exist."; exit 1; }

geoip-shell configure -B remove ||
    { logger -t ipsum-update -p user.err "Error: geoip-shell failed to remove previous IPsum blocklist."; exit 1; }
geoip-shell configure -B "$FETCHED_FILE" ||
    { logger -t ipsum-update -p user.err "Error: geoip-shell failed to import the new IPsum blocklist."; exit 1; }

logger -t ipsum-update -p user.info "Successfully updated the IPsum blocklist."

exit 0

Modify the code as per code comments.

Use the command sudo chmod +x /usr/bin/ipsum-update.sh to make the script executable.

Test the script:

 /usr/bin/ipsum-update.sh

Once the script works, add a cron job. Copy-paste the following into the terminal and press Enter:

curr_cron="$(sudo crontab -u root -l)"
NL='
'
printf '%s\n' "${curr_cron}${NL}0 4 * * * /usr/bin/ipsum-update.sh" | sed '/^$/d' | sudo crontab -u root -

Then verify that cron job was successfully added:

sudo crontab -u root -l

vdias Jul 27, 2025
Author

For future users adopting the same approach:

This script downloads and applies changes only if the source content has changed, based on the ETag header.

#!/bin/bash

TAG="ipsum-update"
URL="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt"
DIR="/SCRIPTS/tmp"
LOCAL_FILE="$DIR/IPsum-Level4.txt"
ETAG_FILE="$DIR/IPsum-Level4.etag"

mkdir -p "$DIR"

# Fetch remote ETag
REMOTE_ETAG=$(curl -sI "$URL" | grep -i ETag | awk '{print $2}' | tr -d $'\r')

# Read stored ETag
if [ -f "$ETAG_FILE" ]; then
  LOCAL_ETAG=$(cat "$ETAG_FILE")
else
  LOCAL_ETAG=""
fi

# Check if ETag changed
if [ "$REMOTE_ETAG" != "$LOCAL_ETAG" ]; then
  if curl -fsSL -o "$LOCAL_FILE" "$URL"; then
    logger -t "$TAG" -p user.info "Downloaded new IPsum-Level4 blocklist."

    echo "$REMOTE_ETAG" > "$ETAG_FILE"

    # Validate non-empty file
    if [ ! -s "$LOCAL_FILE" ]; then
      logger -t "$TAG" -p user.err "Downloaded file '$LOCAL_FILE' is empty. Aborting."
      exit 1
    fi

    # Run geoip-shell commands
    if geoip-shell configure -B remove; then
      logger -t "$TAG" -p user.info "Previous IPsum blocklist removed."
    else
      logger -t "$TAG" -p user.err "Failed to remove previous IPsum blocklist."
      exit 1
    fi

    if geoip-shell configure -B "$LOCAL_FILE"; then
      logger -t "$TAG" -p user.info "Successfully imported new IPsum blocklist."
    else
      logger -t "$TAG" -p user.err "Failed to import new IPsum blocklist."
      exit 1
    fi

  else
    logger -t "$TAG" -p user.err "Failed to download IPsum-Level4 from $URL."
    exit 1
  fi

else
  logger -t "$TAG" -p user.info "IPsum-Level4 unchanged. ETag matched."
fi

exit 0

nftables GeoIP Setup Questions #57

Uh oh!

vdias Jul 18, 2025

Replies: 4 comments · 15 replies

Uh oh!

friendly-bits Jul 18, 2025 Maintainer

Uh oh!

Uh oh!

vdias Jul 25, 2025 Author

Uh oh!

friendly-bits Jul 25, 2025 Maintainer

Uh oh!

vdias Jul 25, 2025 Author

Uh oh!

Uh oh!

friendly-bits Jul 25, 2025 Maintainer

Uh oh!

vdias Jul 25, 2025 Author

Uh oh!

friendly-bits Jul 25, 2025 Maintainer

Uh oh!

friendly-bits Jul 27, 2025 Maintainer

Uh oh!

Uh oh!

vdias Jul 27, 2025 Author

Uh oh!

friendly-bits Jul 27, 2025 Maintainer

Uh oh!

friendly-bits Jul 27, 2025 Maintainer

Uh oh!

vdias Jul 27, 2025 Author

Uh oh!

friendly-bits Jul 27, 2025 Maintainer

Uh oh!

vdias Jul 27, 2025 Author

vdias
Jul 18, 2025

Replies: 4 comments 15 replies

friendly-bits
Jul 18, 2025
Maintainer

vdias
Jul 25, 2025
Author

friendly-bits Jul 25, 2025
Maintainer

vdias Jul 25, 2025
Author

friendly-bits Jul 25, 2025
Maintainer

vdias Jul 25, 2025
Author

friendly-bits Jul 25, 2025
Maintainer

friendly-bits
Jul 27, 2025
Maintainer

vdias
Jul 27, 2025
Author

friendly-bits Jul 27, 2025
Maintainer

friendly-bits Jul 27, 2025
Maintainer

vdias Jul 27, 2025
Author

friendly-bits Jul 27, 2025
Maintainer

vdias Jul 27, 2025
Author