How to implement firewall blocking of IPs based on country of origin

Can someone please suggest an easy way how to block IPs from Russia, China, etc? Or is that something that is planned for TOS 4? Thanks, jose

It is possible to use the GeoIP module for the netfilter/iptables (iptables-mod-geoip), see for some examples. But it may lead to unpredictible results because the current IPv4 address shortage is in some cases solved by address block leasing (one subject leases temporarily one or more IPv4 address blocks to another subject). The leased addresses may be left assigned to their “owner” but another subject (maybe from another country!) use them.


Thank you, that’s a good point. What would you suggest then? I read article on dynamic firewall fed by the data from Turris project at but there was no information on how to make it work with TO itself.

if your time is worth anything, it is more expensive to implement this then to circumvent it.
not to mention the time to debug a deviation of the solutions definition of ‘the bad guys’ and yours.
just don’t.

1 Like

Installation via Foris is not yet finished. When you check Data collection on the Updater page, only the dynamic firewall is installed (which receives dynamic firewall rules and applies them to the kernel firewall in Turris OS), without data collection.

The only way how to currently install data collection is the command line:

opkg update
opkg install sentinel-nikola sentinel-minipot

These commands install the current versions of the packages for Sentinel data collection. One additional package (sentinel-proxy) is installed automatically by dependency.