Fail2ban/iptables - Allow selected countries only

  • Posted December 13, 2014


On Ubuntu, is it possible to add location based rules to Fail2ban and/or iptables? I’d like to block all SSH, SMTP, IMAP, etc. connections attempts except these incoming from selected countries.

For example, I know the countries where the few people I need to allow SSH for are located.



Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Here is a great walkthrough of some simple SSH security:

In your case, of note is the TCP Wrapper section:

From what I have read you can just set hosts.deny to:


and then add the IP’s of the users you want to allow…

I would be keen to hear other ideas on this as well.

Hello there,

You can also use CSF (ConfigServer Security & Firewall (csf) to block selected countries. If you’re not familiar with CSF or you want to install it on CentOS or Ubuntu droplet check out this mini tutorial:

For CentOS:

For Ubuntu:

You can also use third-party providers like CloudFlare that provider Firewall features that allow blocking single IP addresses or whole IP ranges.

Just enter an IP address, an IP range, or a two-letter country code you wish to block. You can check more here:

Hope that this helps!