Hi there @OIITCONZ
I'll answer your first question first.
geoip-shell doesn't specifically block any ports by default. So probably ICMP not working is unrelated. You can check if geoip-shell has anything to do with it by issuing this command: geoip-shell off and checking if ping is working now. This disables geoip-shell completely. To re-enable later, use geoip-shell on.

As to your second question, I'm not sure what you mean by "forward a set of ports or forward everything" but it sounds like you want to set up a tunnel. geoip-shell doesn't do tunnels but there is plenty of software for this. geoip-shell will not interfere with that software, unless for some reason that software needs to receive traffic from blocked countries. What geoip-shell does is it fetches a list of ip subnets which belong to certain country or countries (in your case NZ), creates an ipset (if using iptables) or nftables set (if using nftables) out of that list, and (in whitelist mode) creates iptables or nftables rules which block all inbound traffic which didn't come from ip addresses included in the set. When installed for all network interfaces rather than a specific WAN network interface, geoip-shell also creates some allow rules in order to not block DHCPv6 and other essential communication (which is non-routable, so should not affect the effectiveness of geoip blocking).

Generally, if you need things which should occasionally receive traffic from blocked countries, you would have to either add those countries to the whitelist, or come up with some sort of a workaround, for example here users came up with a workaround to allow letsencrypt to renew certificates (you will probably need to use Google automatic translation):
https://forum.netcup.de/administration-of-a-server-vserver/vserver-server-kvm-server/18634-geoblocking/

If you have any additional questions about geoip-shell, please feel free to ask.

Also note that the available geoip data is not 100% reliable. In some cases some ip subnets may be listed under one country but actually belong to a different country. This is not frequent but this happens. This is a shortcoming of all geoip blocking, not just geoip-shell. Specifically for NZ, I don't know how many ip subnets are assigned wrong and in which way (either an address in NZ is listed under a different country or an address in a different country appears under NZ). It could be that NZ is not affected at all, or it could be that you will have issues. You will just need to try and see.

geoip blocking is very effective for reducing the attack surface despite this shortcoming, however if you need a guarantee that 100% percent of people trying to access your server from NZ are not geoblocked, this guarantee can not be given.

geoip-shell will not interfere with that software, unless for some reason that software needs to receive traffic from blocked countries.

To clarify this point, geoip-shell creates a firewall rule which will allow the locally running software to make outbound connections to blocked countries and receive response. Only if the software is listening for inbound connection requests (without establishing an outbound connection first) then it will not be able to see it if given request comes from a blocked country.

Hi, did you manage to achieve the config you wanted? I posted some replies below which I'm not sure you've seen.

You can also read this for more information on how packets traverse tables and chains with iptables:
https://www.baeldung.com/linux/iptables-chains-tables-traversal

Sorry, for some reason the links to NOTES.md didn't work in the above answer, fixed now.

No need really for a coffee but you can give the repo a star if you fancy.
And please do keep me posted.

After some investigation, the error:
Error: Could not process rule: Numerical result out of range
refers to nftables maximum length of a set name is 15 characters (read 27 on other site).
If I'm not mistaken, if the name is "UY_ipv4_2024-10-08_geoip-shell" then is 30 chars.
Is there a way to modify the naming scheme on the script?

Indeed, turns out that nftables wiki says the set name must be 16 characters or less:
https://wiki.nftables.org/wiki-nftables/index.php/Sets

Which is weird because geoip-shell creates sets with 31 characters-long names and this works just fine on all systems I've tested with (Debian, Linux Mint, Gentoo, OpenWrt). Perhaps there is some obscure kernel compile-time option which can be set to enforce this and most distros don't set it.

Current set names format is kinda ingrained in the geoip-shell code, so quite a bit of modification will be necessary. I'll make an experimental branch which will implement shorter set names.

The experimental branch is here:

https://github.com/friendly-bits/geoip-shell/tree/shorter-nftables-set-names

Please test with it and let me know if the issue is fixed.

Working perfectly now
Thanks you very much.

Successfully configured geoip-shell for firewall backend: nftables.

Ip lists in the final whitelist: 'UY_ipv4 UY_ipv6'.

View geoip status with 'geoip-shell status' (may require 'sudo').

Install done.
fanta@linux:~/firewall/geoip-shell-shorter-nftables-set-names$ sudo geoip-shell status

geoip-shell status:

geoip-shell v0.5.8

Firewall backend: nftables
Geoip blocking mode: whitelist
Ip lists source: ripe
Country codes in the whitelist: UY ✔
IP families in firewall rules: ipv4 ipv6 ✔
Geoip rules applied to network interfaces: venet0

Protocols:
tcp: Geoip is applied to all ports
udp: Geoip is applied to all ports

Geoip firewall chain: enabled ✔
Whitelist blocking rule: ✔

nftables sets optimization policy: performance

Cron system service: ✔
Update cron job: ✔
Update schedule: '12 4 * * *'
Last successful update: Oct-10-2024 19:34:29
Persistence cron job: ✔
Automatic backup of ip lists: On

No problems detected.

Thanks for reporting this and helping me identify the issue. The fix is now incorporated in v0.5.9.

Hi Uwe and thank you for sharing your experience. This kind of responses makes it worthwhile to do open source development.