UniFi Gateway GeoIP
General Country Restriction
Older versions: Security > Country Restriction
Newer versions: CyberSecure > Region Blocking
The geo map shows traffic by region.
DPI is not required for GeoIP to function, but clearing the DPI history will also clear GeoIP history.
UniFI Gateway uses a binary (.mmdb) format optimised for fast lookups at scale, and is provided by MaxMind.
/usr/share/dpi/geoip/GeoLite2-Country.mmdbThe database contains IPv4 or IPv6 network blocks in CIDR format, along with a unique identifier for the network's location, as specified by GeoNames.
In/Out Geo IP polices are created. They allow private IP ranges, IP addresses of configured UniFI networks, the WAN IP of the Gateway, and established connections. Then use the geoip module to drop matched traffic.
These polices do not apply to locally generated packets from the gateway.
iptables -t filter -v -L -n
Chain UBIOS_OUT_GEOIP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0
0 0 RETURN all -- * * 0.0.0.0/0 255.255.255.255
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 100.64.0.0/10
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 10.6.0.0/24
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 195.1.1.1
711 217K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --destination-country AF
87 24641 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 You can also create county-related firewall rules, these just add the block rule and does not allow established connections.
