Hello sir ,

Thank you for this article it would be useful for many sysadmins

 i have developed this script

let me put it here

#!/bin/bash                                                                      #
# Blocking IP 4 Countries : RoMiONeT       

#First article was for marchost at howtoforge.com         #

#This SCript is for blocking ips of countries u want         #
# All Rights are reserved By : RoMiONeT                        #  
# for any further help please contact us at                    #
# ( [email protected] [email protected] )            #
####################################
echo "Blocking IPS of any country By : RoMiONeT"
echo ""
echo "To know code of countries which you want to block"
echo "you can enter ( http://www.blogama.org/country.txt )"
echo ""
sleep 3
echo "Below you can type code of country Ex. ( IL ) for Israel "
echo -n " Enter Code : "
read code
wget -c --output-document=ips4countries.txt http://blogama.org/country_query.php?country=$code
for i in `cat /root/ips4countries.txt`
do
iptables -I INPUT -s ${i} -j DROP
done  ;
echo "Best Regards"
echo "RoMiONeT"
echo "[email protected] & [email protected]"
exit 0

Thanks

I might be wrong but I think iptables are cascading such as :

deny from all

allow 123.123.123.0/24

allow 123.123.124.0/24

You will have to google for how to do it exactly.

Think it's a bad idea, to fetch the blocklist on every(!) iptables call, especially when the list is updated weekly only. A cron job or a date-check would be a better solution in my opinion.

@kasper : The probability that 1) a subnet change country before the update, 2) that you are actually blocking that country and 3)that a visitor to your website is coming from that specific subnet is very improbable unless you work at google ;)

I didnt think of performance issue... I did some quick benchmark with apache ab command.

2 dedicated server sending requests to 1 small VPS with block to china and india (thousands of iptables rules to test...)

WITHOUT iptables block :

-Round 1 :

 Requests per second:    140.46 [#/sec] (mean) on server 1

Requests per second:    153.48 [#/sec] (mean) on server 2

-Round 2:

 Requests per second:    139.69 [#/sec] (mean) on server 1

Requests per second:    147.11 [#/sec] (mean) on server 2

 WITH iptables block :

-Round 1:

 Requests per second:    138.17 [#/sec] (mean) on server 1

Requests per second:    143.10 [#/sec] (mean) on server 2

-Round 2

 Requests per second:    154.69 [#/sec] (mean) on server 1

 Requests per second:    151.13 [#/sec] (mean) on server 2

What's Google got to do with anything?  They're a search engine, not an ISP...

Look this.

http://blog.kdn2.info/2010/11/block-facebook-com-with-iptables/

For sites with lots of traffic you are better off looking at the following

 ipset - http://ipset.netfilter.org/

iptables geoip patch -  http://people.netfilter.org/acidfu/geoip/howto/

Great Howto!  I can't believe this is that simple!

 Is there an efficient way to do the reverse of this?  I have a site where it only needs to be available in the US (actually only 1 state in the US)

 It seems that this would be a good idea, but putting in a ton of Deny statements would slow things down.

Anyone have any ideas?

A python version of the script is available here:

http://forum.ipinfodb.com/viewtopic.php?f=9&t=44 (indentation is broken but I'm sure you can work it out)

which will allow importation of the rule file via the iptables-restore command.

As it is, the script expects a line separated list of IP/network addresses in the form w.x.y.z/CIDR, though it will probably work with a full subnet mask instead of CIDR as well. It also expects the ipaddr module to be installed (http://code.google.com/p/ipaddr-py/).

There is no proper error checking in the script, so you'll have to implement that yourself.

I use it in conjunction with the resulting file from the wget command in the above bash script after it has been sorted/unique'd.

Sk

hi

thx for the script, i'm modified for allow only one country access to the ftp server

example:

 first step need to create iptables chain for filter

iptables -N ftp-filter

second step need to add policy to input chain

iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter

and use the script:

#!/bin/bash
#first step
#iptables -N ftp-filter
#iptables -A INPUT -p tcp -m multiport --dport ftp,ftp-data -j ftp-filter
#http://www.countryipblocks.net/e_country_data/
COUNTRIE="HU"
WORKDIR="/root/"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-whitelist.txt http://www.countryipblocks.net/e_country_data/"$COUNTRIE"_cidr.txt
if [ -f iptables-whitelist.txt ]; then
  iptables -F ftp-filter
  BLOCKDB="iptables-whitelist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A ftp-filter -p tcp -s $i -m multiport --dport ftp,ftp-data -j ACCEPT
  done
fi
iptables -A ftp-filter -p tcp -m multiport --dport ftp,ftp-data -j REJECT --reject-with tcp-reset
rm $WORKDIR/iptables-whitelist.txt

Make sure you have "--no-check-certificate" switch with wget.

Hello everyone,

I am looking for a shell or perl script to browse a log file, extract the IP, do a whois on each to see if IP address is a facebook or not
if it's a facebook address, the script adds it to a file bloc_ip.txt
if not it goes to the following address ...

since I am not a developer, I want a loan or similar script that I can change it.

Can someone help me?

 Here is a working block list generator

http://ipinfodb.com/ip_country_block.php