lfd:country

Block or allow specific countries through the firewall. All country code options use ISO 3166-1 alpha-2 country codes. See: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

juggernaut --task=lfd:country
Option
 Value Default Description
--MM_LICENSE_KEY <string> MaxMind requires you to create a free account on their site and to generate a license key to use their Geolite2 databases. See here for more information.
--CC_SRC <string> 1 The source for where CSF downloads its country databases.
--CC_DENY <string1,string2> Deny whole country CIDR ranges. The CIDR blocks are generated from the Maxmind GeoLite2 Country database and entirely relies on that service being available. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_DENY_add <string> Add a single entry to CC_DENY.
--CC_DENY_del <string> Remove a single entry from CC_DENY.
--CC_ALLOW <string1,string2> Allow whole country CIDR ranges. Warning: this option allows access through all ports in the firewall. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_ALLOW_add <string> Add a single entry to CC_ALLOW.
--CC_ALLOW_del <string> Remove a single entry from CC_ALLOW.
--CC_ALLOW_FILTER <string1,string2> Only allow access from the following countries but still filter based on the port and packets rules. All other connections are dropped. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_ALLOW_FILTER_add <string> Add a single entry to CC_ALLOW_FILTER.
--CC_ALLOW_FILTER_del <string> Remove a single entry from CC_ALLOW_FILTER.
--CC_IGNORE <string1,string2> Prevent the login failure daemon from blocking IP address hits for the following countries. CC_LOOKUPS must be enabled to use this option. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_IGNORE_add <string> Add a single entry to CC_IGNORE.
--CC_IGNORE_del <string> Remove a single entry from CC_IGNORE.
--CC_MESSENGER_ALLOW <string1,string2> Only a blocked IP that resolves to one of these country codes will be redirected to the MESSENGER service. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_MESSENGER_ALLOW_add <string> Add a single entry to CC_MESSENGER_ALLOW.
--CC_MESSENGER_ALLOW_del <string> Remove a single entry from CC_MESSENGER_ALLOW.
--CC_MESSENGER_DENY <string1,string2> A blocked IP that resolves to one of those Country Codes will NOT be redirected to the MESSENGER service. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_MESSENGER_DENY_add <string> Add a single entry to CC_MESSENGER_DENY.
--CC_MESSENGER_DENY_del <string> Remove a single entry from CC_MESSENGER_DENY.
--CC_DROP_CIDR <string> Ignore CIDR blocks smaller than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of CC entries and may improve iptables throughput. This will deny/allow fewer IP addresses depending on how small you configure the option. Set to None to block all CC IP addresses.
--CC_LOOKUPS <0-4> 1 Display Country Code and Country for reported IP addresses.
--CC6_LOOKUPS <1|0> 1 Display Country Code and Country for reported IPv6 addresses using the MaxMind Country IPv6 Database. This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and PORTFLOOD.
--CC_INTERVAL <1-31> 14 How often the login failure daemon will retrieve the Maxmind GeoLite Country database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days).
--CC_ALLOW_PORTS <string1,string2> Allow access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_ALLOW_PORTS_add <string> Add a single entry to CC_ALLOW_PORTS.
--CC_ALLOW_PORTS_del <string> Remove a single entry from CC_ALLOW_PORTS.
--CC_ALLOW_PORTS_TCP <digit1,digit2> Allow access to the following TCP ports from the CC_ALLOW_PORTS countries. All listed ports should be removed from TCP_IN to block access from elsewhere.
--CC_ALLOW_PORTS_TCP_add <string> Add a single entry to CC_ALLOW_PORTS_TCP.
--CC_ALLOW_PORTS_TCP_del <string> Remove a single entry from CC_ALLOW_PORTS_TCP.
--CC_ALLOW_PORTS_UDP <digit1,digit2> Allow access to the following UDP ports from the CC_ALLOW_PORTS countries. All listed ports should be removed from UDP_IN to block access from elsewhere.
--CC_ALLOW_PORTS_UDP_add <digit> Add a single entry to CC_ALLOW_PORTS_UDP.
--CC_ALLOW_PORTS_UDP_del <digit> Remove a single entry from CC_ALLOW_PORTS_UDP.
--CC_DENY_PORTS <string1,string2> Deny access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP. (ISO 3166-1 alpha-2 country codes, comma separated)
--CC_DENY_PORTS_add <string> Add a single entry to CC_DENY_PORTS.
--CC_DENY_PORTS_del <string> Remove a single entry from CC_DENY_PORTS.
--CC_DENY_PORTS_TCP <digit1,digit2> Deny access to the following TCP ports from the CC_DENY_PORTS countries. All listed ports should NOT be removed from TCP_IN.
--CC_DENY_PORTS_TCP_add <digit> Add a single entry to CC_DENY_PORTS_TCP.
--CC_DENY_PORTS_TCP_del <digit> Remove a single entry from CC_DENY_PORTS_TCP.
--CC_DENY_PORTS_UDP <digit1,digit2> Deny access to the following UDP ports from the CC_DENY_PORTS countries. All listed ports should NOT be removed from UDP_IN.
--CC_DENY_PORTS_UDP_add <digit> Add a single entry to CC_DENY_PORTS_UDP.
--CC_DENY_PORTS_UDP_del <digit> Remove a single entry from CC_DENY_PORTS_UDP.
--default <yes> Reset all settings to their default values.
--default_option <option> Reset a specific setting to its default value.
--restart <yes> Restart the service after saving settings.

Examples

// add Russia and Bulgaria to CC_DENY
juggernaut --task=lfd:country --CC_DENY=RU,BG --restart=yes

// enable IPV6 country code lookups
juggernaut --task=lfd:country --CC6_LOOKUPS=1 --restart=yes

// reset CC6_LOOKUPS back to default
juggernaut --task=lfd:country --default_option=CC6_LOOKUPS --restart=yes

// reset all settings back to default
juggernaut --task=lfd:country --default=yes --restart=yes