How can I block countries from connecting

Hello

I don’t want some countries to log in to my Teamspeak server. How can I prevent them?

You need to setup your firewall to deny IPs from these countries.

Please use Google to find how to’s or matching IPs.

1 Like

I had the same problem, the firewall lists do not update themselves automatically. Therefore I found the software RdpGuard (Windows). This software blocks all attempted RDP attacks on the server (via IP) with temporary firewall entries. Additionally there is a cloud solution which contains a list of all currently blocked IPs of RdpGuard and a GeoIP (Country) solution which updates itself regularly. Unfortunately the software is not freeware but the best solution i found so far.

There are a lot of free resources out there storing accurate data of “all” known IP ranges (for Germany) in CIDR format.

Exporting them to a text file for example, having a simple batch file to add them to an existing firewall rule is quite easy and free.
(that’s basically what you’re paying for a third-party app)

I’m sure there are sources on GitHub, too for example filtering known proxy or VPN hosts out of this list.

Just to name 2 possible sources…

(edit)

https://www.countryipblocks.net/acl.php

2 Likes

We have something that blocks countries, such as Iran, Iraq, etc places we know that won’t ever join us to play games yet people would use as a VPN to troll us. We also have another thing that auto gives certain countries like US/UK/CAN a tag so they can talk while places we aren’t sure will have to request voice.

Hello, I want to prevent some countries from accessing my server with the help of geoip. Access to port 22 is blocked without any problem. But they can still access the teamspeak servers. How can I prevent this. I’m sending you an example command. I will be glad if you edit and forward

iptables -A INPUT -m geoip -p udp --dport 9987 --src-cc US,DE -j DROP

iptables -A OUTPUT -m geoip --dst-cc DE -j DROP

I can block from all ports with this command. But we have a problem. I only need the command to allow 1 location. With this command I can block Countries one by one takes time to do. Do you just know what command to let germany?

Instead of dropping each country one by one adjust your INPUT policy and create exceptions.

iptables -P INPUT DROP
iptables -A INPUT -m geoip -p udp --dport 9987 --src-cc DE -j ACCEPT

Connections from (source) countries other than DE will be dropped.

:warning: Be warned!

Don’t forget to add inbound rules for SSH and AUTH.
As well as accepting ESTABLISHED and RELATED connections.

Forgetting this means you’re locked out of your remote system.

3 Likes

I’ll try this

Do we only allow 9987 port with this command? It may take time to allow individual teamspeak ports. How can I make country access to all ports with a single command?

An INPUT policy DROP will drop all incoming connections to your server as the value says.
Therefore you have to add rules for ALL connections you wan’t to allow on your system.
Be careful as you can lock out yourself permanently as I mentioned above.

It’s basically needed to add two inbound rules for your TeamSpeak server:

(this will allow connections only from DE assuming your INPUT policy is DROP)

It’s not needed to filter the source countries for the filetransfer connection since a client can establish a connection only if he’s connected to TeamSpeak server successfully.

iptables -A INPUT -m geoip -p udp --dport 9987 --src-cc DE -j ACCEPT     // Voice port
iptables -A INPUT -p tcp --dport 30033 -j ACCEPT                         // Filetransfer port

Optional rules to accept ServerQuery connections:

iptables -A INPUT -p tcp -m tcp --dport 10011 -j ACCEPT    // ServerQuery raw
iptables -A INPUT -p tcp -m tcp --dport 10022 -j ACCEPT    // ServerQuery SSH

You can accept connections for specific source IPs only as well:

iptables -A INPUT -s 12.34.56.78/32 -p tcp -m tcp --dport 10011 -j ACCEPT
iptables -A INPUT -s 12.34.56.78/32 -p tcp -m tcp --dport 10022 -j ACCEPT

Only clients with the remote IP address 12.34.56.78 will be able to connect to your ServerQuery interface.


Just to mention it again, don’t forget to add rules for SSH and AUTH if you change your INPUT policy.

Don’t get me wrong but be careful playing around with your firewall.
Hosting a live environment online without proper networking knowledge is not really recommended.
Just to say…

I’m not sure if the rule length may be too long but you can of course drop each country if you wan’ to.
It’s a little bit awkward but your decision.

Get a list of all country codes (ISO 3661) from: datahub.io

Print the array and it’s object values, add a comma and get:

AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ,DK,DJ,DM,DO,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,GF,PF,TF,GA,GM,GE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IM,IL,IT,JM,JP,JE,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,SS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW

Add the rule to your firewall (if possible):

iptables -A INPUT -m geoip -p udp --dport 9987 --src-cc AF,AX,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BQ,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CW,CY,CZ,DK,DJ,DM,DO,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,GF,PF,TF,GA,GM,GE,GH,GI,GR,GL,GD,GP,GU,GT,GG,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IM,IL,IT,JM,JP,JE,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,ME,MS,MA,MZ,MM,NA,NR,NP,NL,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PS,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,BL,SH,KN,LC,MF,PM,VC,WS,SM,ST,SA,SN,RS,SC,SL,SG,SX,SK,SI,SB,SO,ZA,GS,SS,ES,LK,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TL,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW -j DROP

I have removed the DE country code from the list manually.


As long as iptables let’s you add such a large rule this should work.
But I don’t wanna talk about that to be honest. It’s just terrible :grimacing:

iptables v1.6.0: geoip: too many countries specified
Try `iptables -h’ or ‘iptables --help’ for more information.

Do you know about this error?

I’m not sure if the rule length may be too long […]
As long as iptables let’s you add such a large rule […]

I did almost expect this will happen…
As I mentioned above adding all country codes into one rule will probably be too large.

Either you split up all of them into multiple rules or just change the INPUT policy as I described.

There’s not much else you can do.

Thanks I solved the problem by dividing. I have 2 last questions

service iptables save
iptables: unrecognized service

I get this error while saving iptables

Another problem is I want to allow the ip address of my Music bots.

iptables -D INPUT -s ipadress -j REJECT

iptables -D INPUT -s ipaddres-j REJECT
iptables v1.6.0: host/network ipaddres' not found Try iptables -h’ or ‘iptables --help’ for more information.

iptables -D INPUT -s ipaddress -j REJECT
iptables: No chain/target/match by that name.

I am getting this error, do you know the solutions?

Saving and restoring the rules of iptables requires the package iptables-persistent.

sudo apt-get install iptables-persistent

You have to add all required rules once and save them after.
iptables will restore these rules automatically from the saved file on a reboot.

Default files

/etc/iptables/rules.v4
/etc/iptables/rules.v6

The file extension v4 and v6 obviously means IPv4 or IPv6.


Let’s stick to IPv4 and take a look how to save and restore your rules:

Saving your rules

iptables-save > /etc/iptables/rules.v4

Restoring your rules

iptables-restore < /etc/iptables/rules.v4

Adding firewall rules

If you haven’t changed your INPUT policy to DROP it’s not needed to add rules to accept connections.
The policy ACCEPT does already accept all incoming connections.

Just as note…

iptables -D INPUT -s ipadress -j REJECT

This does reject a connection it doesn’t accept it.
But your command arguments are WRONG anyway.
-D deletes a matching rule from the chain INPUT and doesn’t add a new rule.

If you need to accept a connection with a source IP address use my example mentioned above:

iptables -A INPUT -s 12.34.56.78/32 -j ACCEPT

Make sure the argument -s is a valid IP address and mask.

twitch instagram twitter facebook