{
    my $BC = $masq{BadCountries} || '';
    my $GP = $masq{GeoIP}        || 'disabled';
    my $KERNEL = `/bin/uname -r`;
    chomp($KERNEL);
    my $PATH_MODULE  = "/lib/modules/$KERNEL/extra/xt_geoip.ko";
    my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
    my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
    my $port;
    my @locPorts;
    my $servStatus;
    my $locBC;

    # to allow reload  without locking  just after initial  install
    $OUT .= <<'EOF';
   iptables -n --list XTGeoIP >/dev/null 2>&1
   test=$?
   if [[ $test -eq 1 ]] ; then
   # A blacklist chain for xtables-addons GEOIP
    /sbin/iptables --new-chain XTGeoIP
    /sbin/iptables --new-chain XTGeoIP_1
    /sbin/iptables --append XTGeoIP -j XTGeoIP_1
    /sbin/iptables --insert INPUT 1 \
       -j XTGeoIP
   fi
EOF

    # Find the current XTGeoIP_$$ chain, and create a new one.
    $OUT .= <<'EOF';
    OLD_XTGeoIP=$(get_safe_id XTGeoIP filter find)
    NEW_XTGeoIP=$(get_safe_id XTGeoIP filter new)
    /sbin/iptables --new-chain $NEW_XTGeoIP
EOF

    if ($GP eq 'enabled') {
        if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) {

            # do not block Localhost(s)
            $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n";

            # do not block LAN
            my $locals = "@locals";

            if (@locals) {

                # Make a new local_chk chain and add any networks found in networks db
                foreach my $local (@locals) {

                    # If the network is a remote vpn subnet, restrict it to the ipsec0
                    # interface.
                    my ($net, $msk) = split /\//, $local;
                    my $netrec = $nets->get($net);
                    die "Can't find network $net in networks db!\n" unless $netrec;
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $local";

                    if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') {
                        $OUT .= " --in-interface ipsec0";
                    }
                    $OUT .= " -j RETURN\n";
                } ## end foreach my $local (@locals)
            } ## end if (@locals)

            # [SME: 12445] do not block Remote authorized access
            # TO DO : allow pin point per service eg this UK ip/network even if UK is filtered
            if (($masq{XTAcceptValidRemoteHosts} || 'enabled') eq 'enabled') {
                foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')) {
                    my ($ip, $bits) = Net::IPv4Addr::ipv4_parse("$_");
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $ip/$bits -j RETURN\n" unless "$ip" eq '0.0.0.0';
                }
            } ## end if (($masq{XTAcceptValidRemoteHosts...}))

            my @services = split(/,/, $masq{'XtServices'});

            foreach my $servName (@services) {
                $port = ${$servName}{'TCPPort'} || '';
                my $servStatus = ${$servName}{'status'}       || 'disabled';
                my $servAccess = ${$servName}{'access'}       || 'private';
                my $locBC      = ${$servName}{'BadCountries'} || '';
                my $reverse = ((${$servName}{'XTGeoipRev'} || 'disabled') eq "enabled") ? "!" : "";

                if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
                    push @locPorts, $port;
                    my $multi = ($port =~ /[,:]/) ? "-m multiport --dports" : "--dport";
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j NFLOG --nflog-prefix \"GeoIP BAN: $servName\"\n";
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
                } ## end if ($port ne '' and $servStatus...)
            } ## end foreach my $servName (@services)

            # block for all or other ports should move there
            if ($BC ne '') {
                my $reverse = (($masq{'XTGeoipRev'}   || 'disabled') eq "enabled") ? "!" : "";
                my $others  = (($masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1   : 0;
                @locPorts = () unless $others;

                if (@locPorts != 0) {
                    my $LocPorts = join ',', @locPorts;
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: OTHER\"\n";
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts  $reverse --src-cc $BC -j DROP\n";
                } else {
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: ALL\"\n";
                    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
                }
            } ## end if ($BC ne '')
            $OUT .= "    /sbin/iptables --append  \$NEW_XTGeoIP" . " -j RETURN\n";
            ## end of add
        } ## end if (-s $PATH_MODULE ||...)
    } ## end if ($GP eq 'enabled')

    # Having created a new XTGeoIP chain, activate it and destroy the old.
    $OUT .= <<'EOF';
    /sbin/iptables --replace XTGeoIP 1 \
            --jump $NEW_XTGeoIP
    /sbin/iptables --flush $OLD_XTGeoIP
    /sbin/iptables --delete-chain $OLD_XTGeoIP
EOF
}
