Troubleshooting GeoIP-Shell Whitelisting Issue

[cosmiccoder01]

Hi,
First of all, thank you for creating such an amazing tool! GeoIP-Shell has been incredibly helpful for someone like me who is still learning about networking.

I’ve successfully installed GeoIP-Shell (installation details below), but I’ve run into an issue that I’m hoping you can help with.

I have a server running on TrueNAS Scale with services managed by Saltbox. After setting up GeoIP-Shell in whitelist mode (allowing only traffic from the Netherlands), I’m unable to access services hosted on my server from my public IP.

If I disable GeoIP-Shell, everything works fine — which makes me suspect that GeoIP-Shell is somehow blocking the connection. I’ve also tried explicitly whitelisting my public IP using the configure option, but that didn’t seem to resolve the issue.

Even in geoip-shell status -v, I see the blocked connections (text below). The internal IP where the service are hosted is 192.168.1.91

Could anyone please advise on how to debug this or let me know if I might be missing something in the configuration?

Checking files... Ok.

Your shell 'bash' is supported by geoip-shell but a faster shell 'dash'
is available in this system, using it instead is recommended.
Would you like to use 'dash' with geoip-shell? [y|n] or [a] to abort installation.
y|n|a: y
Checking files... Ok.
install: Cleaning up previous installation (if any)...

Killing any running geoip-shell processes...
Uninstall complete.

Preparing to install geoip-shell...
Creating directories... Ok.
Copying files... Ok.
Creating symlink... Ok.
Setting permissions... Ok.
Install done.

Configure geoip-shell now? [y|n]
y|n: y

Please enter your country code.
It will be used to check if your geoblocking settings may block your own country and warn you if so.
Country code (2 letters)/Enter to skip: nl

Select *inbound* geoblocking mode: [w]hitelist or [b]lacklist or [d]isable, or [a] to abort.
w|b|d|a: w

Please enter country codes to include in inbound geoblocking whitelist.
Country codes (2 letters) or [a] to abort: nl

manage: NOTE: You can set up *outbound* geoblocking later by running 'geoip-shell configure -D outbound -m <whitelist|blacklist>'.

Does this machine have dedicated WAN network interface(s)? [y|n] or [a] to abort.
For example, a router or a virtual private server may have it.
A machine connected to a LAN behind a router is unlikely to have it.
It is important to answer this question correctly.
y|n|a: y

*NOTE*: Geoblocking firewall rules will be applied to specific network interfaces of this machine.
All found network interfaces: veth9c62691 enp5s0 br-438a4982a56b br-590d00951e8c br-7e1bf85cf37f docker0 veth660ec33 veth1a57b9f br-a089fd45b1b1 veth97fb2b6 br-102aaf555e74 vethd11edcd veth93f7d5e vethc1c7a76 vethd08f3f6 vethf50e9c0 vethc941d51 vethdbed336 veth1b4146d veth0e17299 veth5252d8e vethf9820b0 veth11fe45d veth9646a76 veth15a0634 veth7737ca9 veth15a4539 vethe6a1212 vethe9fe6a6 veth628d607 vethf4abe11
Automatically detected WAN interfaces: enp5s0
[c]onfirm, c[h]ange, or [a]bort?
c|h|a: c
Updating the config file... Ok.
Creating directory '/var/lib/geoip-shell'... Ok.

Applying config...

Checking connectivity... Ok.

Checking for IP list updates on the RIPE server...

Fetching the IP list for country 'NL' from RIPE...
############################################################################################################################################################################### 100.0%
Fetch successful.
Parsing the IP list for 'NL_ipv4'... Ok.
Validating 'NL_ipv4'... Ok.
Validated subnets for 'NL_ipv4': 6152.
Parsing the IP list for 'NL_ipv6'... Ok.
Validating 'NL_ipv6'... Ok.
Validated subnets for 'NL_ipv6': 1902.

run: Adding IP lists 'NL_ipv4 NL_ipv6'.

Loading IP lists... Ok.
Assembling nftables commands... Ok.
Applying new firewall rules... Ok.

run: Successfully added IP lists 'NL_ipv4 NL_ipv6'.

Creating backup of geoip-shell IP sets... Ok.
Updating the config file... Ok.
Creating backup of the status file... Ok.
Creating backup of the config file... Ok.
Successfully created backup of geoip-shell state.

Successfully applied config.
Processing cron jobs... Ok.

Successfully configured geoip-shell for firewall backend: nftables.

Final IP lists in inbound whitelist: 'NL_ipv4 NL_ipv6'.

View geoblocking status with 'geoip-shell status' (may require 'sudo').```

-----------------------------------------------------------------------------------------------------------------------

```geoip-shell status:

geoip-shell v0.7.2

Firewall backend: nftables
IP lists source: ripe
Geoblocking rules applied to network interfaces: enp5s0
nftables sets optimization policy: performance
LAN subnets automatic detection: Off

Cron system service: ✔
Update cron job: ✔
Update schedule: '14 4 * * *'
Last successful update: Mar-21-2025 11:52:59
Persistence cron job: ✔
Automatic backup of IP lists: On

inbound geoblocking:
  Mode: whitelist
  Country codes: NL ✔
  IP families: ipv4 ipv6 ✔

  Allowed IPs (includes link-local IPs, trusted IPs, LAN IPs):
  ipv4: 169.254.0.0/16
  ipv6: fe80::/10

  Protocols:
  tcp: Geoblocking all destination ports
  udp: Geoblocking all destination ports

  Geoblocking firewall chain: enabled ✔
  whitelist blocking rule: ✔

  Firewall rules in the GEOIP-SHELL_IN chain:
  ------------------------------------------------------------------------------------------------------------------------------------------------------------
  packets  bytes      ipv  verdict prot dports                  interfaces                       extra
  ------------------------------------------------------------------------------------------------------------------------------------------------------------
  ---      ---        both ACCEPT  all  all                     enp5s0                           ct state established,related comment geoip-shell_aux_est-rel
  ---      ---        ipv4 ACCEPT  all  all                     enp5s0                           saddr @allow_in_4 comment geoip-shell_aux_allow
  ---      ---        ipv6 ACCEPT  all  all                     enp5s0                           saddr @allow_in_6 comment geoip-shell_aux_allow
  0        0B         ipv4 ACCEPT  udp  67,68                   enp5s0                           saddr @dhcp_4 comment geoip-shell_aux_DHCP_4
  0        0B         ipv6 ACCEPT  udp  546,547                 enp5s0                           saddr fc00::/6 comment geoip-shell_aux_DHCP_6
  6        360B       ipv4 ACCEPT  all  all                     enp5s0                           saddr @NL_4_2025-03-20 comment geoip-shell
  0        0B         ipv6 ACCEPT  all  all                     enp5s0                           saddr @NL_6_2025-03-20 comment geoip-shell
  857      216.01KiB  both DROP    all  all                     enp5s0                           comment geoip-shell_inbound_whitelist_block

  IP ranges count in active inbound geoblocking sets:
  NL: ipv4 - 4778, ipv6 - 1893

  Total count of inbound geoblocking IP ranges: 6671

outbound geoblocking:
  Mode: disable

No problems detected.```

[cosmiccoder01]

Looks like I also need to whitelist cloudflares IPs. Is there a way to do this via cli?

[cosmiccoder01]

Got it working. Thank you.

Also, is it possible to add logging to view the denys or accepts in /var/log/messages

[friendly-bits]

Hi, sorry that I'm a bit late to answer. Glad you got it working in the meantime.

Just in case: generally, when you want to specifically allow IP ranges belonging to a certain service, you need to find the IP list with IP ranges for that service. For 2 examples of such IP list, see #26, #33. When you have this IP list, you can select IP ranges specific to your country and compile them into a newline-separated list (I explained how to do this easily in #33). Then you can use the command geoip-shell configure -A <path_to_allowlist_file> in order to import these IP ranges into geoip-shell.

As to logging: currently geoip-shell doesn't have this facility. Implementing logging has been requested before and it's the next thing I'm planning to work on.

And thank you for the kind words.

[cosmiccoder01]

Yea. That is what I did (geoip-shell configure -A <path_to_allowlist_file>).

is there anyway to add it manually. Something like below,

  chain inplog {
    counter packets 0 bytes 0 log prefix "JUSTLOG_inp:" level info
    counter packets 0 bytes 0 accept
  }

  chain fwdlog {
    counter packets 0 bytes 0 log prefix "JUSTLOG_fwd:" level info
    counter packets 0 bytes 0 accept
  }

  chain outlog {
    counter packets 0 bytes 0 log prefix "JUSTLOG_out:" level info
    counter packets 0 bytes 0 accept
  }

  chain inpdeny {
    counter packets 0 bytes 0 log prefix "DROP_inp:" level info
    counter packets 0 bytes 0 drop
  }

  chain fwddeny {
    counter packets 0 bytes 0 log prefix "DROP_fwd:" level info
    counter packets 0 bytes 0 drop
  }

  chain outdeny {
    counter packets 0 bytes 0 log prefix "DROP_out:" level info
    counter packets 0 bytes 0 drop
  }```
  
  and call the tables in the INPUT and OUTPUT

[friendly-bits]

The VM is connected to a TrueNAS-created bridge, which is passed to the VM as enp5s0

If that network interface is used for anything else except communication between the VM and the internet then this can be considered a LAN interface. That said, the way geoip-shell is configured right now seems like the optimal configuration, i.e. geoblocking only on that interface and creating rules to allow traffic from any of the LAN segments.

After disabling this, I don't see the issue again.

Glad that you figured this out.

[cosmiccoder01]

Thank you. I have left it like that.

Is there a roadmap for what are the features that can come-up next and timeline?

[friendly-bits]

This is an open-source project which I'm working on in my free time. So there are no guarantees. Also logging is a complex thing to implement because it has performance implications. So currently - no timeline. I am planning to implement this feature though.

[cosmiccoder01]

Hi, I see this command to add/remove IP addresses. Adding I did understand it, but the removal part, I couldn't figure it out.

geoip-shell configure [-A|-B] <"[path_to_file]"|remove>

Lets say if I want to remove bunch of IPs from the blocking list, how can I achieve that?

[friendly-bits]

The remove directive, as currently implemented, is not very comprehensive. It just deletes any previously imported ip lists of given type (allow or block) and removes the respective ipsets and firewall rules. If you feel like more fine-grained control is needed, I could consider implementing it.

In the meantime, if you want to remove specific ip's, the local ip lists are stored in the directory /var/lib/geoip-shell/local_iplists. These files are in general not intended to be manually edited but technically you can edit them, they just store new-line separated lists of ip addresses. I wouldn't recommend to add new addresses manually because the addresses need to be classified by type (net or ip) and by family (ipv4 or ipv6). geoip-shell handles all this automatically, and it validates and deduplicates the lists. So in short, better to use the command-line interface if you want to add ip's.
(you need sudo privileges to open or edit these files)

Edit: after manually editing the files, use following command to update the ipsets:
geoip-shell-run.sh update -f. I think this should do it, although I'm not entirely sure (I can't recall if the ipsets for local ip lists are reloaded with this command or not. I'll need to review the code handling this).