Blocking IP Addresses Of Any Country With iptables

Want to support HowtoForge? Become a subscriber!
 
Submitted by marchost (Contact Author) (Forums) on Thu, 2009-02-12 11:56. :: Linux | Security

Blocking IP Addresses Of Any Country With iptables

This article explains how you can block IP addresses of any country with the help of iptables.

Source : http://blogama.org/node/

 

The API to get the IP addresses to block

First you need to know the code (ISO 3166 format) of the country you would like to block. The full list is available HERE.

Once you have the country code, you can now get the list at the following url (Afghanistan and Argentina in this example):

http://blogama.org/country_query.php?country=AF,AR

If you dont see IP addresses by lines, view the page code.

 

How often is data updated

During the first week of each month.

 

The full SQL database

For the full SQL database of this data, please read this page.

 

Automatic bash script to block those IP addresses in iptables

The following script will:

  1. Fetch the right IP addresses of the country you would like to block from our API
  2. Add these rules in iptables.
#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Ryan (not registered) on Fri, 2012-10-26 17:33.

 Here is a working block list generator

http://ipinfodb.com/ip_country_block.php

Submitted by smilovsky (registered user) on Thu, 2012-01-26 11:20.
Hello everyone,

I am looking for a shell or perl script to browse a log file, extract the IP, do a whois on each to see if IP address is a facebook or not
if it's a facebook address, the script adds it to a file bloc_ip.txt
if not it goes to the following address ...

since I am not a developer, I want a loan or similar script that I can change it.

Can someone help me?
Submitted by Skinnner (not registered) on Sat, 2009-11-14 11:50.
A python version of the script is available here:

http://forum.ipinfodb.com/viewtopic.php?f=9&t=44 (indentation is broken but I'm sure you can work it out)

which will allow importation of the rule file via the iptables-restore command.

As it is, the script expects a line separated list of IP/network addresses in the form w.x.y.z/CIDR, though it will probably work with a full subnet mask instead of CIDR as well. It also expects the ipaddr module to be installed (http://code.google.com/p/ipaddr-py/).

There is no proper error checking in the script, so you'll have to implement that yourself.

I use it in conjunction with the resulting file from the wget command in the above bash script after it has been sorted/unique'd.

Sk

Submitted by cateye (registered user) on Sun, 2009-10-04 22:23.

hi

thx for the script, i'm modified for allow only one country access to the ftp server

example:

 first step need to create iptables chain for filter

 

iptables -N ftp-filter

 

second step need to add policy to input chain

 

iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter

 

and use the script:

#!/bin/bash
#first step
#iptables -N ftp-filter
#iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter
#http://www.countryipblocks.net/e_country_data/
COUNTRIE="HU"
WORKDIR="/root/"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-whitelist.txt http://www.countryipblocks.net/e_country_data/"$COUNTRIE"_cidr.txt
if [ -f iptables-whitelist.txt ]; then
  iptables -F ftp-filter
  BLOCKDB="iptables-whitelist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A ftp-filter -p tcp -s $i -m multiport --dport ftp,ftp-data -j ACCEPT
  done
fi
iptables -A ftp-filter -p tcp -m multiport --dport ftp,ftp-data -j REJECT --reject-with tcp-reset
rm $WORKDIR/iptables-whitelist.txt


Submitted by Deniz Gezmis (not registered) on Mon, 2011-07-25 20:43.

Make sure you have "--no-check-certificate" switch with wget.

Submitted by RoMiONeT (registered user) on Tue, 2009-04-14 10:24.

Hello sir ,

Thank you for this article it would be useful for many sysadmins

 i have developed this script

let me put it here


 

#!/bin/bash                                                                      #
# Blocking IP 4 Countries : RoMiONeT       

#First article was for marchost at howtoforge.com         #

#This SCript is for blocking ips of countries u want         #
# All Rights are reserved By : RoMiONeT                        #  
# for any further help please contact us at                    #
# ( Dnx@hotmail.com -Admin@Romiohost.Com )            #
####################################
echo "Blocking IPS of any country By : RoMiONeT"
echo ""
echo "To know code of countries which you want to block"
echo "you can enter ( http://www.blogama.org/country.txt )"
echo ""
sleep 3
echo "Below you can type code of country Ex. ( IL ) for Israel "
echo -n " Enter Code : "
read code
wget -c --output-document=ips4countries.txt http://blogama.org/country_query.php?country=$code
for i in `cat /root/ips4countries.txt`
do
iptables -I INPUT -s ${i} -j DROP
done  ;
echo "Best Regards"
echo "RoMiONeT"
echo "Admin@Romiohost.Com & Dnx@hotmail.com"
exit 0

 

Thanks

Submitted by Anonymous (not registered) on Fri, 2009-02-13 04:52.

Great Howto!  I can't believe this is that simple!

 Is there an efficient way to do the reverse of this?  I have a site where it only needs to be available in the US (actually only 1 state in the US)

 It seems that this would be a good idea, but putting in a ton of Deny statements would slow things down.

Anyone have any ideas?

Submitted by marchost (registered user) on Fri, 2009-02-13 19:56.

I might be wrong but I think iptables are cascading such as :

deny from all

allow 123.123.123.0/24

allow 123.123.124.0/24

You will have to google for how to do it exactly.

Limit all IP to US


 

Submitted by topdog (registered user) on Thu, 2009-02-12 13:35.

For sites with lots of traffic you are better off looking at the following

 ipset - http://ipset.netfilter.org/

iptables geoip patch -  http://people.netfilter.org/acidfu/geoip/howto/

 

Submitted by Kasper (not registered) on Thu, 2009-02-12 12:52.
Think it's a bad idea, to fetch the blocklist on every(!) iptables call, especially when the list is updated weekly only. A cron job or a date-check would be a better solution in my opinion.
Submitted by Anonymous (not registered) on Thu, 2010-11-18 18:07.

Look this.

http://blog.kdn2.info/2010/11/block-facebook-com-with-iptables/

Submitted by marchost (registered user) on Fri, 2009-02-13 06:13.

@kasper : The probability that 1) a subnet change country before the update, 2) that you are actually blocking that country and 3)that a visitor to your website is coming from that specific subnet is very improbable unless you work at google ;)

 

I didnt think of performance issue... I did some quick benchmark with apache ab command.

2 dedicated server sending requests to 1 small VPS with block to china and india (thousands of iptables rules to test...)

WITHOUT iptables block :

-Round 1 :

 Requests per second:    140.46 [#/sec] (mean) on server 1

Requests per second:    153.48 [#/sec] (mean) on server 2

-Round 2:

 Requests per second:    139.69 [#/sec] (mean) on server 1

Requests per second:    147.11 [#/sec] (mean) on server 2

 

 WITH iptables block :

-Round 1:

 Requests per second:    138.17 [#/sec] (mean) on server 1

Requests per second:    143.10 [#/sec] (mean) on server 2

-Round 2

 Requests per second:    154.69 [#/sec] (mean) on server 1

 Requests per second:    151.13 [#/sec] (mean) on server 2

Submitted by Impeach Obama (not registered) on Wed, 2011-05-25 04:23.
What's Google got to do with anything?  They're a search engine, not an ISP...