Installation Guide
Depending on your file system permissions, you will likely have to execute some of the commands below with sudo or similar to avoid permission errors. You can use sudo -s in a terminal to keep from having to type sudo before every command, then type 'exit' to return to your normal user command prompt when you're finished with the installation. Always exercise caution when running with elevated privileges.
See the Notes section near the end of the User Guide for details on the variable and file naming convention used for GeoIP sets.
Create a directory on your system for the GeoIP for nftables project files. The default location is /etc/nftables/geoip
mkdir -p /etc/nftables/geoip
There are two ways to copy the GeoIP for nftables files to your local machine. The first is to clone the project with Git. Change directory to the /etc/nftables directory and clone the project.
cd /etc/nftables
git clone https://github.com/wirefalls/geoip.git
Git will clone the files into the geoip subdirectory /etc/nftables/geoip.
The second way to copy the files is to download the ZIP file from the main project page and uncompress the archive to: /etc/nftables/geoip
When you've finished copying the files it's time to set ownership. This command sets ownership of all GeoIP files and sub-directories to root.
chown -R root:root /etc/nftables/geoip
Next verify that the geoip-nft.sh script is executable.
ls -la /etc/nftables/geoip
If not then set the script to be executable.
chmod +x /etc/nftables/geoip/geoip-nft.sh
It's important to change directory to the GeoIP base directory before running the script for the first time. This allows the present working directory to be used as the base_dir when the script creates the /etc/geoip.conf configuration file.
cd /etc/nftables/geoip
Run the geoip-nft.sh script to create and populate the countrysets directory as well as creating the configuration file:
./geoip-nft.sh
The geoip-nft.sh script takes about 10 seconds to run on a system with SSD storage, and will create country specific sets in /etc/nftables/geoip/countrysets. On a Raspberry Pi 4, the script run time is about 80 seconds, so be patient. The script runs with a verbose output explaining each step, and can be silenced by supplying the -s command line argument.
The free db-ip.com geoip database is usually updated on the 1st of each month, according to the FAQ. The included systemd geoip-update.service and geoip-update.timer files located in /etc/nftables/geoip/systemd directory can be used to automatically run the geoip-nft.sh script at midnight on the second day of each month if desired. You can edit the file geoip-update.timer as needed to run on a different day or at a different time. If your computer is turned off during the scheduled update time then systemd will run the geoip-nft.sh scrip during the next system boot. Since the filename of the db-ip.com database includes the current date, your system time must be accurate to determine the correct filename to download.
To set up automatic database updates first add a soft link to the geoip-nft.sh script in /usr/sbin.
ln -sf /etc/nftables/geoip/geoip-nft.sh /usr/sbin/geoip-nft
Next, add soft links to the systemd timer and service files.
ln -sf /etc/nftables/geoip/systemd/geoip-update.timer /etc/systemd/system/geoip-update.timer
ln -sf /etc/nftables/geoip/systemd/geoip-update.service /etc/systemd/system/geoip-update.service
Then enable the timer to run at boot time, and start it. This will automatically create a soft link to the timer file in /etc/systemd/system/timers.target.wants/geoip-update.timer
systemctl enable --now geoip-update.timer
List the systemd timers on your system to verify the geoip-update.timer is running.
systemctl -t timer
You can list the timer's previous and next run times with this command:
systemctl list-timers --all
The next run time for the timer may not be exactly at midnight since the geoip-update.timer file has a random 0-300 second delay to allow time for other programs to run that are also scheduled at midnight.
As mentioned, if your system is turned off when the GeoIP database is due to be automatically updated then systemd will run the geoip-nft.sh script during the next system startup. To do this successfully, systemd needs to wait until the network is up and running before it runs the geoip-nft.sh script to download the new database. This requires the correct network wait service to be enabled. You can check to see if either of the two common wait services are enabled (usually only one should be) with:
systemctl is-enabled systemd-networkd-wait-online.service NetworkManager-wait-online.service
If one of the two network services (or both) are enabled, then you don't need to change the wait service settings. If both are disabled (or one of the service files doesn't exist), then the correct wait service needs to be enabled.
If systemd-networkd is used to configure your network, start and enable the wait service:
systemctl enable --now systemd-networkd-wait-online.service
If NetworkManager is used to configure your network, start and enable the wait service:
systemctl enable --now NetworkManager-wait-online.service
See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ for additional information. One thing to consider here is that enabling the network wait service can extend boot times if your network is unavailable. The default network timeout is typically set to 120 seconds.
The final installation step is to enable the service that delays the start of geoip-update.service on boot until the system time has been synchronized with an accurate time source by systemd-timesyncd.service.
systemctl enable --now systemd-time-wait-sync.service
At this point the basic installation is complete and you can refer to the User Guide for setting up your ruleset.
If you're running SELinux then you'll need to generate a local policy module to give permissions to the /etc/nftables/geoip/geoip-nft.sh script so that it can create and write to necessary files for operation. Instructions for doing this are beyond the scope of this document, but you should be able to find that information online.
When new versions of GeoIP for nftables are released you can update your installation automatically with Git. This is the easiest way to update the geoip-ntf.sh script without overwriting any customized configuration files or scripts that you may have. First, back up your current /etc/nftables/geoip directory.
cp -r /etc/nftables/geoip /etc/nftables/geoip.bak
Change directory to the /etc/nftables/geoip directory.
cd /etc/nftables/geoip
Fetch the latest files without overwriting or updating any of your local files.
git fetch origin
Check the status of your local files.
git status
If "git status" shows that your branch is behind 'origin/main' by x number of commits, then you can update your local files to the latest version with:
git merge origin/main
Your local files should now be updated. You can run the geoip-nft.sh script to verify the new GeoIP for nftables version number.
sudo geoip-nft
GeoIP for nftables documentation is licensed under the GNU GPLv2 (or at your option, any later version).