Geo blocking is an important mechanism if you are at all concerned about copyright restrictions for your radio internet stream. That is, if you're self hosting. If you're using some form of external streaming site, the good ones take care of all the copyright licensing fees and copyright restrictions.
Geo blocking can also greatly increase your self hosting security.
Artisan Radio self hosts, and recently had to migrate to using a VPN to gain incoming connectivity.
All this combined to create massive headaches when we attempted to geo block. The intent was to block all internet stream access except for Canada, as we intend to use audio material that is in the public domain in Canada for our programming. It may not be in the public domain elsewhere, particularly the U.S. (the only music fully in the public domain there is from the acoustic era of 1924 and earlier). The website will remain open to everyone, and we're still pondering what to do about the SDR. For now, it remains open.
Anyway, back to geo blocking. Using the Windows Advanced Firewall is a tried and true method to geo block. It's also free. By default, all incoming connections to a computer are blocked, and you have to open up potential connections via rules. Generally, this is done by particular program's installation, but you can't rely on things being done correctly at that time. Usually, every potential connection is opened up, and that may not be a good thing for both security, and geo blocking (as I found out).
Another thing to note is that Windows Firewall rules have a kind of order. Sort of. Maybe. Supposedly, the most specific rule is used, but again, that may not always be the case. I found that if any rule gives an incoming connection access, then it will gain that access, regardless of what other rules exist. Not so great if you're attempting to block most of the world.
So, the first thing that we did was to remove all rules pertaining to the Internet streaming server, IceCast. Again, the default behavior with no rule is to block access to an incoming connection, so that meant no one should have had access.
Now, there are sites on the Internet that can provide lists of IPv4 IP addresses for each country. I found one, and downloaded the Canadian IP list. The site I used assumed that you were going to block access to these IP's, and provided a script to create a blacklist, based on the input IP list. I modified this script to make a whitelist, rather than the blacklist, and proceeded to create the rules by running it. All 231 of them, each containing 200 sets of Canadian IP ranges that would be allowed to access the Internet streaming server.
All fine and good. But in testing, I found that anyone could still gain access. What was happening?
A number of things were tried, and all failed. Some rule was obviously letting the non Canadian IP addresses in, so I methodically went through each and every one until I found it. It turns out that the VPN, in creating my static IP and doing the port forwarding, allowed any connection using any of the forwarded ports in. And it did so with 28 duplicated rules, 14 for TCP and 14 for UDP. Not very nice, and really not what someone would want, especially if you already had rules set up for the programs that listened to these ports. After deleting these VPN-generated rules, everything worked as expected.
I'm documenting this here in the event that someone might want to self host. These are the kinds of issues that you can run into. Plus, I also wanted to have a document somewhere that I could refer to if I have to go through this again. The end result was simple...once you had the solution. Getting to the solution, figuring out what was going on when there could be a myriad of problems, was something yet again.