http://forum.ipinfodb.com/viewtopic.php?f=9&t=44 (indentation is broken but I'm sure you can work it out)

which will allow importation of the rule file via the iptables-restore command.

As it is, the script expects a line separated list of IP/network addresses in the form w.x.y.z/CIDR, though it will probably work with a full subnet mask instead of CIDR as well. It also expects the ipaddr module to be installed (http://code.google.com/p/ipaddr-py/).

There is no proper error checking in the script, so you'll have to implement that yourself.

I use it in conjunction with the resulting file from the wget command in the above bash script after it has been sorted/unique'd.

Sk

hi

thx for the script, i'm modified for allow only one country access to the ftp server

example:

 first step need to create iptables chain for filter

iptables -N ftp-filter

second step need to add policy to input chain

iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter

and use the script:

#!/bin/bash
#first step
#iptables -N ftp-filter
#iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter
#http://www.countryipblocks.net/e_country_data/
COUNTRIE="HU"
WORKDIR="/root/"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-whitelist.txt http://www.countryipblocks.net/e_country_data/"$COUNTRIE"_cidr.txt
if [ -f iptables-whitelist.txt ]; then
  iptables -F ftp-filter
  BLOCKDB="iptables-whitelist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A ftp-filter -p tcp -s $i -m multiport --dport ftp,ftp-data -j ACCEPT
  done
fi
iptables -A ftp-filter -p tcp -m multiport --dport ftp,ftp-data -j REJECT --reject-with tcp-reset
rm $WORKDIR/iptables-whitelist.txt

Hello sir ,

Thank you for this article it would be useful for many sysadmins

 i have developed this script

let me put it here

#!/bin/bash                                                                      #
# Blocking IP 4 Countries : RoMiONeT       

#First article was for marchost at howtoforge.com         #

#This SCript is for blocking ips of countries u want         #
# All Rights are reserved By : RoMiONeT                        #  
# for any further help please contact us at                    #
# ( Dnx@hotmail.com -Admin@Romiohost.Com )            #
####################################
echo "Blocking IPS of any country By : RoMiONeT"
echo ""
echo "To know code of countries which you want to block"
echo "you can enter ( http://www.blogama.org/country.txt )"
echo ""
sleep 3
echo "Below you can type code of country Ex. ( IL ) for Israel "
echo -n " Enter Code : "
read code
wget -c --output-document=ips4countries.txt http://blogama.org/country_query.php?country=$code
for i in `cat /root/ips4countries.txt`
do
iptables -I INPUT -s ${i} -j DROP
done  ;
echo "Best Regards"
echo "RoMiONeT"
echo "Admin@Romiohost.Com & Dnx@hotmail.com"
exit 0

Thanks

Great Howto!  I can't believe this is that simple!

 Is there an efficient way to do the reverse of this?  I have a site where it only needs to be available in the US (actually only 1 state in the US)

 It seems that this would be a good idea, but putting in a ton of Deny statements would slow things down.

Anyone have any ideas?

For sites with lots of traffic you are better off looking at the following

 ipset - http://ipset.netfilter.org/

iptables geoip patch -  http://people.netfilter.org/acidfu/geoip/howto/