Geo2nft parses MaxMind's GeoLite2 Database and generates nftables sets containing IP address ranges for the specified countries.
The generated sets can be used for firewall rules to restrict access from overseas, etc.
It only requires Python to run, no other third-party packages are required.
Developed and tested with Python 3.12.12 .
Note to download the GeoLite2 Database,
you will need a MaxMind account ID and a valid license key.
You can obtain a free license key through your account portal.
Clone this repository (or download geo2nft.py) and run it like this:
$ export MAXMIND_ACCOUNT_ID=123456 # your account ID here
$ export MAXMIND_LICENSE_KEY=abcdef_ghijk... # your license key here
$ python geo2nft.py save/to/sets.nft JPThis will download the database and save the generated nftables sets to the path you specified.
Run python geo2nft.py --help for more information on usage.
This is a simple example:
table inet filter {
# The default set names are `allowed_country_v4` and `allowed_country_v6`
include "path/to/sets.nft"
chain accept_allowed_country {
ip saddr @allowed_country_v4 counter accept
ip6 saddr @allowed_country_v6 counter accept
}
chain input {
type filter hook input priority filter
policy drop
ct state { established, related } accept
ct state new tcp dport { 22, 80, 443 } goto accept_allowed_country
}
}
Copyright © 2025 CrystalAlpha358
This project is licensed under the MIT License.
See LICENSE for details.
The GeoLite2 Database is provided and maintained by MaxMind, Inc.
Use of the GeoLite2 Database, including the address sets generated by this tool, is subject to the GeoLite2 End User License Agreement of MaxMind.