3X-UI Xray Routing Guide: Block Countries, Ports, and Websites

15 min read
Intermediate 3X-UI Xray Routing Security

Prerequisites

  • A working 3X-UI panel with at least one inbound configured
  • SSH access to your server
  • Basic familiarity with the 3X-UI panel interface

How Routing Works

When a user connects to your proxy and tries to visit a website, Xray checks routing rules before sending the traffic out to the internet.

Each rule says: "If traffic matches this condition → do this action"

Two possible actions:

  • direct — allow traffic, send to internet
  • blocked — drop traffic, user gets nothing

Rules are checked top to bottom. The first rule that matches wins. If no rule matches, traffic is allowed through (direct).

You can match traffic by:

  • Destination Domain — what site the user wants to visit
  • Destination IP — what country the site's server is in
  • Destination Port — what port the traffic targets (25, 80, 443…)
  • Source IP — where the user connects from
  • Protocol — traffic type like bittorrent

Step 1: Set Up DNS Servers

Go to Xray Configs → Basics tab.

Find the DNS section. If it is empty, add:

8.8.8.8
1.1.1.1

Click Save.

Xray needs DNS servers to resolve domains and determine which country a domain belongs to. Without DNS configured, domain-based routing rules like geosite: will not work.


Step 2: Set Up Outbounds

Go to Xray Configs → Outbounds tab.

You need two outbounds:

Outbound Protocol Tag Purpose
1 freedom direct Allow traffic through to internet
2 blackhole blocked Drop/block traffic silently

The direct outbound usually exists by default. If blocked does not exist, click + Add Outbound, set Protocol to blackhole, Tag to blocked, and save.

Write down the exact tag names from your panel. If your blackhole outbound uses a different tag (like "block" instead of "blocked"), use your tag name in all rules below.


Step 3: Add Routing Rules

Go to Xray Configs → Routing Rules tab.

Below are all common rules organized by category. Pick the ones you need. For each rule, click "+ Add Rule", fill in only the fields listed, leave everything else empty.

Block Ports (Anti-Spam)

Users can abuse your proxy to send spam emails. Email uses ports 25, 587, and 465. Blocking these stops anyone from sending emails through your server and protects your server IP from being blacklisted.

Field Value
Destination Port 25,587,465
Outbound Tag blocked
All other fields Leave empty

Type 25,587,465 exactly — no spaces, just commas.

What these ports do:

  • 25 — SMTP (main email sending port)
  • 587 — SMTP Submission (authenticated email sending)
  • 465 — SMTPS (encrypted email sending)

Optional — block remote access and database ports in a single rule:

Field Value
Destination Port 22,23,25,465,587,1433,3306,3389,5432,6379,27017
Outbound Tag blocked
All other fields Leave empty

Port reference:

  • 22 — SSH (prevent tunneling through proxy)
  • 23 — Telnet (unencrypted remote access)
  • 3389 — RDP (Windows remote desktop)
  • 3306 — MySQL
  • 5432 — PostgreSQL
  • 27017 — MongoDB
  • 6379 — Redis
  • 1433 — Microsoft SQL Server

Block Private / Local IPs

This stops users from accessing your server's local network through the proxy — a security must-have. Without it, someone could scan your internal services.

Field Value
Destination IP geoip:private
Outbound Tag blocked
All other fields Leave empty

This blocks 127.0.0.1, 10.x.x.x, 192.168.x.x, 172.16-31.x.x, and all other private IP ranges.

If you run WARP or another local service that Xray needs to reach on 127.0.0.1, add an allow rule for that service above this block rule.

Block Source Countries

This blocks people from certain countries from using your proxy. Good for stopping scanners and bots.

Source IP = where the user connects from (different from Destination IP which is where the user wants to go).

Field Value
Source IP geoip:cn,geoip:ru
Outbound Tag blocked
All other fields Leave empty

For any country, use geoip:COUNTRYCODE. The geoip database works for all countries — see the reference table at the bottom.

Block Destination Countries

This blocks users from accessing websites and servers in certain countries through your proxy.

Field Value
Destination IP geoip:cn
Outbound Tag blocked
All other fields Leave empty

You can combine multiple countries in one rule:

Field Value
Destination IP geoip:cn,geoip:ru
Outbound Tag blocked
All other fields Leave empty

Optional — also block by domain name (China only):

For China specifically, you can also add a domain rule because geosite:cn exists in the default Xray database:

Field Value
Destination Domain geosite:cn
Outbound Tag blocked
All other fields Leave empty

This catches Chinese domains even if they use a CDN with non-Chinese IP addresses.

Warning about geosite: country codes: Unlike geoip, the geosite database does not have entries for every country. In the default Xray database, only geosite:cn (China) is reliably available. Tags like geosite:ru, geosite:ir, or geosite:us do not exist in the default database. If you use a non-existent geosite tag, Xray will crash and your entire proxy stops working for all users. Always use geoip for country blocking. If you need extended geosite tags, install a custom database like Chocolate4U/Iran-v2ray-rules.

Block Ads and Trackers

Blocks thousands of known advertising and tracking domains:

Field Value
Destination Domain geosite:category-ads-all
Outbound Tag blocked
All other fields Leave empty

Optional — block adult content:

Field Value
Destination Domain geosite:category-porn
Outbound Tag blocked
All other fields Leave empty

Both category-ads-all and category-porn are confirmed to exist in the default Xray geosite database.

Block BitTorrent

Stops users from downloading torrents through your proxy. Torrent traffic can get your server IP reported for piracy.

Field Value
Protocol bittorrent
Outbound Tag blocked
All other fields Leave empty

The Protocol field is in the panel under the "Protocol" or "L4" column.

Important: For this rule to work, sniffing must be enabled on your inbounds. Go to Inbounds, click on each inbound, and verify that Sniffing is ON. In 3X-UI it is usually on by default. Without sniffing, Xray cannot detect traffic types and this rule will silently do nothing. Note that encrypted torrent clients may bypass this detection.

Block Specific Websites

To block individual websites by domain name:

Field Value
Destination Domain domain:badsite.com,domain:another.org
Outbound Tag blocked
All other fields Leave empty

Domain matching prefixes:

Prefix Behavior Example
domain: Matches domain and all subdomains domain:example.com blocks example.com, www.example.com, mail.example.com
full: Exact match only, no subdomains full:example.com blocks only example.com
keyword: Matches any domain containing the word keyword:gambling blocks onlinegambling.com, gambling-site.net
regexp: Regular expression pattern regexp:.*\.xyz$ blocks all .xyz domains

You can also block entire service categories using geosite tags:

geosite:facebook
geosite:tiktok
geosite:instagram

Step 4: Set the Correct Rule Order

After adding all your rules, use the up/down arrow buttons in the panel to arrange them in this order:

# Rule Type Action
1 Block ports (25, 587, 465…) blocked
2 Block source countries blocked
3 Block private IPs blocked
4 Block destination countries blocked
5 Block ads blocked
6 Block bittorrent blocked
7 Block specific websites blocked

Why this order:

  • Port blocks first — fastest check, stops spam immediately
  • Source blocks next — reject bad clients before doing more work
  • Private IPs — security
  • Destination countries — geo-restriction
  • Ads/torrents/sites — content filtering last

Any traffic that matches no rule is allowed through to the internet normally.


Step 5: Save and Restart

Click Save at the top of the page, then click Restart Xray.

Always save first, then restart. If you only restart without saving, your changes will be lost. Changes take effect immediately after restart. Connected users may briefly disconnect and reconnect automatically.


Testing

Connect using your VLESS, VMess, or Trojan configuration and verify:

Should work:

  • google.com, youtube.com, twitter.com
  • Any site not in your blocked lists

Should be blocked:

  • Sites hosted in blocked countries
  • Sending emails (port 25/587/465)
  • Torrent downloads (if sniffing is on)
  • Ad domains
  • Sites you specifically blocked
  • Accessing server local network

Troubleshooting

If users cannot connect after adding rules:

  1. Go to the Routing Rules tab
  2. Delete the rules you just added (start from the last one, work backwards)
  3. Click Save → Restart Xray
  4. Test again

Common mistakes:

  • Xray won't start — you used a geosite tag that doesn't exist (e.g., geosite:ru). Remove it and use geoip instead.
  • Wrong outbound tag name — check the Outbounds tab for exact spelling.
  • Rule order wrong — allow rules must be above block rules.
  • BitTorrent rule does nothing — sniffing is not enabled on your inbounds.
  • Blocked geoip:private breaks local service — add an allow rule above the private IP block for services like WARP.

Reference: geoip Values

geoip works for all countries. Use in Destination IP or Source IP fields.

Special:

Tag Matches
geoip:private All private/local IPs
geoip:telegram Telegram server IPs
geoip:facebook Facebook/Meta server IPs
geoip:google Google server IPs

Countries (use 2-letter ISO code):

Tag Country
geoip:cnChina
geoip:ruRussia
geoip:irIran
geoip:usUnited States
geoip:deGermany
geoip:frFrance
geoip:gbUnited Kingdom
geoip:trTurkey
geoip:inIndia
geoip:pkPakistan
geoip:afAfghanistan
geoip:iqIraq
geoip:sySyria
geoip:kpNorth Korea

Full list: ISO 3166-1 alpha-2 on Wikipedia


Reference: geosite Values

Unlike geoip, the geosite database does not cover all countries. Using a non-existent tag crashes Xray.

Confirmed safe in the default database:

Tag Matches
geosite:cnChina domains
geosite:category-ads-allAll ad/tracking domains
geosite:category-pornAdult content domains
geosite:googleGoogle services
geosite:facebookFacebook
geosite:instagramInstagram
geosite:youtubeYouTube
geosite:twitterTwitter / X
geosite:telegramTelegram
geosite:whatsappWhatsApp
geosite:netflixNetflix
geosite:spotifySpotify
geosite:tiktokTikTok
geosite:amazonAmazon
geosite:openaiChatGPT / OpenAI

Do NOT use (they don't exist in the default database):

Tag Status
geosite:ruDoes not exist
geosite:irDoes not exist
geosite:usDoes not exist
geosite:category-gamblingDoes not exist
geosite:malwareDoes not exist
geosite:phishingDoes not exist

For extended tags, install Chocolate4U/Iran-v2ray-rules which adds ir, malware, phishing, cryptominers, and more.


Reference: Ports Worth Blocking

Category Port Service Description
Email25SMTPMain email sending
Email465SMTPSEncrypted email
Email587SMTP SubmitAuthenticated email
Remote22SSHRemote server access
Remote23TelnetUnencrypted remote access
Remote3389RDPWindows remote desktop
Database1433MSSQLMicrosoft SQL Server
Database3306MySQLMySQL database
Database5432PostgreSQLPostgreSQL database
Database6379RedisRedis cache
Database27017MongoDBMongoDB database

All ports in one line for copy-paste:

22,23,25,465,587,1433,3306,3389,5432,6379,27017

Tips

  • No Inbound Tag on a rule = the rule applies to all your inbounds (all VLESS, VMess, Trojan configs). To target only one specific config, set the Inbound Tag field.
  • Combine values to reduce rules: geoip:cn,geoip:ru,geoip:af in one field instead of three separate rules.
  • Save before Restart. Always.
  • Backup your routing rules (screenshot them) before making big changes.
  • Test after each rule — add one at a time, save + restart, and test. If something breaks, you know exactly which rule caused it.