## Why

Both proxy servers should refuse to forward traffic to China-destined IPs. Since clients already access Chinese services directly (per the china-direct-bypass Surge rules), any China-bound traffic reaching the servers is either misconfigured or unwanted. Blocking it server-side adds a defense-in-depth layer and prevents the servers from being used to access domestic Chinese services.

## What Changes

- Create a new Ansible role `geoblock` that downloads China IP CIDR lists and configures iptables to drop outbound traffic to those ranges
- Apply the role to both relay and landing servers
- Set up a cron job to periodically refresh the IP list

## Capabilities

### New Capabilities
- `geoblock-cn`: Server-side blocking of outbound connections to China IP ranges via iptables

### Modified Capabilities

(none)

## Impact

- New `roles/geoblock/` Ansible role applied to all servers
- iptables rules added on both servers blocking outbound to CN IP ranges
- Cron job for periodic IP list updates
- `site.yml` updated to include the geoblock role