Installation Guide
Depending on your file system permissions, you will likely have to execute some of the commands below with sudo or similar to avoid permission errors. You can use sudo -s in a terminal to keep from having to type sudo before every command, then type 'exit' to return to your normal user command prompt when you're finished with the installation. Always exercise caution when running with elevated privileges.
Begin the installation by checking to see that you have all program dependencies installed. See the Dependencies section of the README.md file and verify that each of the required programs is installed on your system. You can use the 'which' command to verify that each program is installed. For example, you can verify that nftables is installed with:
which nft
If a blank line is returned by the above command then you'll have to install the missing program.
Once all dependencies have been installed, create a directory on your system for the Geolocation for nftables project files. The default location is /etc/nftables/geo-nft. It's recommend to use the default location, but if you do change this then avoid using pathnames with spaces, links or special characters. Create the default directory with:
mkdir -p /etc/nftables/geo-nft
There are two ways to copy the Geolocation for nftables files to your local machine. The first is to clone the project with Git. Change directory to the /etc/nftables directory and clone the project.
cd /etc/nftables
git clone https://github.com/wirefalls/geo-nft.git
Git will clone the files into the geo-nft subdirectory /etc/nftables/geo-nft.
The second way to copy the files is to download the ZIP file from the main project page and uncompress the archive to: /etc/nftables/geo-nft
When you've finished copying the files it's time to set ownership. This command sets ownership of all geolocation files and sub-directories to root.
chown -R root:root /etc/nftables/geo-nft
Next set the script to be executable by root.
chmod 744 /etc/nftables/geo-nft/geo-nft.sh
It's important to change directory to the geolocation base directory before running the script for the first time. This allows the present working directory to be used as the base_dir when the script creates the /etc/geo-nft.conf configuration file.
cd /etc/nftables/geo-nft
Run the geo-nft.sh script to create and populate the countrysets directory as well as the default configuration files:
./geo-nft.sh
The geo-nft.sh script takes about 11 seconds to run on a system with SSD storage, and will create country specific sets in /etc/nftables/geo-nft/countrysets. On a Raspberry Pi 4, the script run time is about 90 seconds, so be patient. The script runs with a verbose output explaining each step, and can be silenced by supplying the -s command line argument.
The free db-ip.com geolocation database is usually updated on the 1st of each month, according to the FAQ. The included systemd geo-update.service and geo-update.timer files located in /etc/nftables/geo-nft/systemd directory can be used to automatically run the geo-nft.sh script at midnight on the second day of each month if desired. You can edit the file geo-update.timer as needed to run on a different day or at a different time. If your computer is turned off during the scheduled update time then systemd will run the geo-nft.sh scrip during the next system boot. Since the filename of the db-ip.com database includes the current date, your system time must be accurate to determine the correct filename to download.
To set up automatic database updates first add a soft link to the geo-nft.sh script in /usr/sbin.
ln -sf /etc/nftables/geo-nft/geo-nft.sh /usr/sbin/geo-nft
Next, add soft links to the systemd timer and service files.
ln -sf /etc/nftables/geo-nft/systemd/geo-update.timer /etc/systemd/system/geo-update.timer
ln -sf /etc/nftables/geo-nft/systemd/geo-update.service /etc/systemd/system/geo-update.service
Then enable the timer to run at boot time, and start it. This will automatically create a soft link to the timer file in the appropriate system directory.
systemctl enable --now geo-update.timer
List the systemd timers on your system to verify the geo-update.timer is loaded.
systemctl -t timer
You can list the timer's previous and next run times with this command:
systemctl list-timers --all
The next run time for the timer may not be exactly at midnight since the geo-update.timer file has a random 0-300 second delay to allow time for other programs to run that are also scheduled at midnight.
You can get additional information about the geo-update.timer with:
systemctl show geo-update.timer
As mentioned, if your system is turned off when the geolocation database is due to be automatically updated then systemd will run the geo-nft.sh script during the next system startup. To do this successfully, systemd needs to wait until the network is up and running before it runs the geo-nft.sh script to download the new database. This requires the correct network wait service to be enabled. You can check to see if either of the two common wait services are enabled (usually only one should be) with:
systemctl is-enabled systemd-networkd-wait-online.service NetworkManager-wait-online.service
If one of the two network services (or both) are enabled, then you don't need to change the wait service settings. If both are disabled (or one of the service files doesn't exist), then the correct wait service needs to be enabled.
If systemd-networkd is used to configure your network, start and enable the wait service:
systemctl enable --now systemd-networkd-wait-online.service
If NetworkManager is used to configure your network, start and enable the wait service:
systemctl enable --now NetworkManager-wait-online.service
See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ for additional information. One thing to consider here is that enabling the network wait service can extend boot times if your network is unavailable. The default network timeout is typically set to 120 seconds.
The final installation step is to enable the service that delays the start of geo-update.service on boot until the system time has been synchronized with an accurate time source by systemd-timesyncd.service.
systemctl enable --now systemd-time-wait-sync.service
At this point the basic installation is complete and you can refer to the User Guide for setting up your ruleset. If you like Geolocation for nftables please consider giving the project a Star at the top of the main project page, as this allows people to find us easier here on GitHub.
If you're running SELinux then you may need to generate a local policy module to give permissions to the /etc/nftables/geo-nft/geo-nft.sh script so that it can create and write to necessary files for operation. Instructions for doing this are beyond the scope of this document, but you should be able to find that information online.
When new versions of Geolocation for nftables are released you can update your installation automatically with Git. This is the easiest way to update the geo-ntf.sh script without overwriting any customized configuration files or scripts that you may have. First, back up your current /etc/nftables/geo-nft directory.
cp -r /etc/nftables/geo-nft /etc/nftables/geo-nft.bak
Change directory to the /etc/nftables/geo-nft directory.
cd /etc/nftables/geo-nft
Fetch the latest files without overwriting or updating any of your local files.
git fetch origin
Check the status of your local files.
git status
If "git status" shows that your branch is behind 'origin/main' by x number of commits, then you can update your local files to the latest version with:
git pull
Your local files should now be updated. You can run the geo-nft.sh script to verify the new Geolocation for nftables version number.
sudo geo-nft
The following instructions explain how to uninstall the program.
Begin by remove the soft link to the geo-nft.sh script in /usr/sbin
sudo rm /usr/sbin/geo-nft
Stop the geo-update.timer
sudo systemctl stop geo-update.timer
Disable the geo-update.timer
sudo systemctl disable geo-update.timer
List all systemd timers to verify the geo-update.timer has been removed.
sudo systemctl list-timers --all
Next, stop the geo-update.service
sudo systemctl stop geo-update.service
Disable the geo-update.service
sudo systemctl disable geo-update.service
Back up any customized files that you created in the /etc/nftables/geo-nft directory (such as refill-sets.nft) to a safe place.
Remove the /etc/nftables/geo-nft directory and it's contents.
sudo rm -R /etc/nftables/geo-nft
Remove the /etc/geo-nft.conf file.
sudo rm -f /etc/geo-nft.conf
Remove the /var/log/geo-nft-error.log file if it exists.
sudo rm -f /var/log/geo-nft-error.log
The uninstall is complete.
Geolocation for nftables documentation is licensed under the GNU GPLv2 (or at your option, any later version).