Add Country-Based IP Filtering (--allowed-countries flag)

[mreza0100]

Hi there to internet robin hoods!

Problem

Conduit proxy operators who want to specifically serve users in censored regions (e.g., Iran) currently have no way to restrict connections by country. Since Conduit uses WebRTC via Psiphon's broker, traditional IP filtering at the OS level (iptables, firewalld) doesn't work—the filtering must happen at the application layer using GeoIP lookup.

Solution

This PR adds a --allowed-countries flag that filters incoming connections based on GeoIP country code. Only connections from specified countries are allowed; all others are blocked and logged.

Changes

New package: cli/internal/filter/country_filter.go

• Wraps MaxMind GeoLite2 database for country lookup
• IsAllowed(ip) returns whether connection should proceed
• Allows private/loopback IPs (TURN relay connections)
• Tracks allowed/blocked/relay statistics

Modified files:

• cli/internal/config/config.go - Pass AllowedCountries through config
• cli/cmd/start.go - Add --allowed-countries StringSlice flag
• cli/internal/conduit/service.go - Initialize filter and check connections in OnInproxyConnectionEstablished callback

Usage

# Allow only connections from Iran
./conduit start --allowed-countries IR -v

# Allow multiple countries
./conduit start --allowed-countries IR,AF,SY -v

Output

[FILTER] Only allowing connections from: [IR]
Starting Psiphon Conduit (Max Clients: 50, Bandwidth: 40 Mbps)
[OK] Connected to Psiphon network

# When connections arrive:
[BLOCKED] Connection from 203.0.113.50 (US)
[ALLOWED] Connection from 5.160.x.x (IR)    # -vv only

Notes

• Uses existing github.com/oschwald/geoip2-golang dependency
• GeoLite2 database auto-downloads on first run via existing geo.EnsureDatabase()
• Private IPs (TURN relays) are always allowed through
• No filtering applied if --allowed-countries flag is not set (default behavior unchanged)