Hi!

Yes, GeoIP is included in v1.51 but for now it must be administered via IPtables.
This is a very exciting feature that we're really looking forward to fully integrating, glad to see there is some interest in using this.

By default traffic to/from China & Russia is being blocked.
Here's a short 'how to' on using the feature as it exists today.

Go to Network --> Firewall --> Custom Rules

There you should see the following two lines..

iptables -I FORWARD -m geoip --src-cc CN,RU -j DROP # GeoIP Filter from China & Russia
iptables -I FORWARD -m geoip --dst-cc CN,RU -j DROP # GeoIP Filter to China & Russia

Basically, you just need to change the 'CN,RU' to whatever countries you want to block. Put a comma between each country, the abbreviations are based on ISO3166 (https://en.wikipedia.org/wiki/ISO_3166-1). After you've changed these rules, click Save & Apply.

For now, this is how we've got it implemented however, we did start working on a WebUI module for this feature. The service you are seeing is tied to the web UI module. To use that, you'd modify '/etc/config/geoip' to set a '1' for any country you want to block. Then you'd run '/etc/init.d/geoip start'. This will take the input in the config file and generate the appropriate IPtables rules for you. Running '/etc/init.d/geoip stop' will delete the rules for you.

To check if the rules are active, in the command line you'd use 'iptables -vL | grep geoip' or in GUI you can goto Status --> Firewall.

Couple of tips...
The order in which rules are added to IPtables matters. You'll want to have the GeoIP filter rules at the top of the chain (above the rules for snort). that way traffic gets dropped by the firewall before it even hits the ips.

If you use the geoip service, the rules will likely get wiped every time you restart the firewall. Rules you put in the 'Custom Rules' tab (/etc/snort.user) will get re-added each time you restart the firewall.

If you use the geoip service to create the iptables rules, it will create 2 rules for each country (one to block going to, one to block coming from). This is useful if you want to see granular detail on what's getting blocked by the firewall. The rules that use a comma between countries won't show this level of detail.

If you use the geoip service, you should probably delete (or comment out) the rules in the 'Custom Rules' tab.

Bonus points and lots of praise to anyone who gets the GeoIP WebUI pages working before we do. We tried really hard to get this into SP1 release but it wasn't worth delaying the release for. The WebUI files for this feature can be found here...
/usr/lib/lua/luci/model/cbi/geoip.lua
/usr/lib/lua/luci/controller/geoip/geoip.lua_bad (it should go here... /usr/lib/lua/luci/controller/geoip.lua)

Post by Garrett