diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7d081bbc3..f35b6b6e1 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -39,6 +39,9 @@ iptables_init() {
 	iptables -P FORWARD DROP
 	iptables -P OUTPUT ACCEPT
 
+	# Ensure the xt_geoip module is always loaded (#12767)
+	modprobe xt_geoip
+
 	# Enable TRACE logging to syslog
 	modprobe nf_log_ipv4
 	sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4