This project downloads and extracts the GeoLite2-Country database (in .mmdb format), parses all country-related IP prefixes, and generates nftables-compatible configuration files:

• geoip_ipv4.nft — IPv4 address sets by country
• geoip_ipv6.nft — IPv6 address sets by country

go run main.go

• Downloads latest .mmdb from GitSquared/node-geolite2-redist
• Parses both IPv4 and IPv6 ranges by country
• Generates:
  • geoip_ipv4.nft — all IPv4 prefixes grouped by country
  • geoip_ipv6.nft — all IPv6 prefixes grouped by country
  • by_country/ — individual .nft files per country:
    • by_country/US/US_ipv4.nft
    • by_country/US/US_ipv6.nft

You can use the sets to filter traffic using nftables.

Block incoming traffic from US:

nft add table inet geoip
nft -f geoip_ipv4.nft
nft -f geoip_ipv6.nft

nft add chain inet geoip input { type filter hook input priority 0 \; }
nft add rule inet geoip input ip saddr @US drop
nft add rule inet geoip input ip6 saddr @US drop

Block outgoing traffic to US:

nft add chain inet geoip output { type filter hook output priority 0 \; }
nft add rule inet geoip output ip daddr @US drop
nft add rule inet geoip output ip6 daddr @US drop

Example: Route all traffic from US IPs via pppoe-pppoe interface using fwmark and policy routing:

nft add table inet geoip
nft -f geoip_ipv4.nft

nft add chain inet geoip prerouting { type filter hook prerouting priority 0 \; }
nft add rule inet geoip prerouting ip saddr @US meta mark set 0x1

Edit /etc/iproute2/rt_tables and add:

100 rt_us

ip route add default dev pppoe-pppoe table rt_us

ip rule add fwmark 0x1 table rt_us

This project includes a GitHub Actions workflow that:

• Runs every two weeks (cron: 1 0 * * 0/2)
• Executes go run main.go
• Publishes updated .nft files to the latest release on GitHub

This project uses the GeoLite2 database from MaxMind, distributed under their license. You must agree to their terms before using this data.