Resource icon

TUTORIAL IPtables: BlackList Countries

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
wardmundy submitted a new resource:

IPtables: BlackList Countries - Here's an efficient way to blacklist entire countries from accessing public servers

Now that some of us are running public web servers, you may find it useful to block certain countries from accessing your server to reduce denial of service attacks, etc. Here's how with IPtables without bringing your server to its knees.

NOTE: This will NOT work on OpenVZ-type servers because of the shared kernel component (i.e. wable). Syntax is provided for CentOS, then Ubuntu/Debian below.

1. Install ipset (yum install ipset OR...

Read more about this resource...
 

matthew

Guru
Joined
May 22, 2013
Messages
83
Reaction score
26
Thanks again for another useful add-on, Ward. I haven't implemented this yet, but I was looking at the code and thought there's a slightly cleaner way to implement it. You can avoid having multiple country scripts to create/add/remove/maintain from /etc, cron, and rc.local (I'm a sysadmin, I'm lazy, and will spend 20 minutes writing a script that saves me 5). Where you have

3. Add new shell script for each country replacing "yy" in /etc and make executable with chmod +x: /etc/block-countrycode.sh:
Code:
#!/bin/bash

COUNTRYCODE="yy"
ipset flush $COUNTRYCODE
ipset -N $COUNTRYCODE hash:net
rm $COUNTRYCODE.zone
wget -P . http://www.ipdeny.com/ipblocks/data/countries/$COUNTRYCODE.zone
for i in $(cat /etc/$COUNTRYCODE.zone ); do ipset -A $COUNTRYCODE $i; done
/usr/local/sbin/iptables-restart*

This could be replaced by having it all in one script file and wrapping your code in another for;do;done loop. This gives just one place to edit your country blocks.
(This is untested and could need a tweak. Just replying while I'm waiting for a task to finish.)

Code:
#!/bin/bash
# /etc/ipblock-countries.sh
#
# Add this script to /etc/rc.local so it will run on each reboot.
# Eg.
#    /etc/ipblock-countries.sh
#    exit 0
#
# Add this script to /etc/crontab for daily updates
#  * 2 * * * root /etc/ipblock-countries.sh > /dev/null 2>&1
#
# Change this to suit your OS
IPTABLESRESTART=/usr/local/sbin/iptables-restart
 
# add each country to the cc variable, separated by a space.
# Eg:
# cc="af cn kr ru"
 
cc="xx yy zz"
for COUNTRYCODE in $cc; do
ipset flush $COUNTRYCODE
ipset -N $COUNTRYCODE hash:net
rm $COUNTRYCODE.zone
wget -P . http://www.ipdeny.com/ipblocks/data/countries/$COUNTRYCODE.zone
for i in $(cat /etc/$COUNTRYCODE.zone ); do ipset -A $COUNTRYCODE $i; done
done
$IPTABLESRESTART
 

KUMARULLAL

Guru
Joined
Feb 20, 2008
Messages
243
Reaction score
28
The idea on having multiple countries seperated by a space in a single file is elegant. Can anyone confirm if this really works.
Secondly, There is another place in iptables where you have to define the counties you want to block, according to the instruction

Code:
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

b. Just below that, add one or more new entries for each country you wish to block. For the list of country codes, go here.
Code:
-A INPUT -p tcp -m set --match-set countrycode src j DROP
Here we need to add one entry each for every country we want to block like
-A INPUT -p tcp -m set --match-set countrycode src CN j DROP
-A INPUT -p tcp -m set --match-set countrycode src AF j DROP
-A INPUT -p tcp -m set --match-set countrycode src RU j DROP
AM I right? Is my syntax right?
Can we not do something like Mathew suggested to have a single entry with multiple counties defines in scr parameter?
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top