How to Ban a country with iptables

Block a country with iptablesI’m stil lreceiving huge spam/unwanted traffic from russia.
I want to ban with iptables
I already tried to stop it using fail2ban but they continuosly change their IP Address so there is no repetitive behavior wich fail2ban can trace.
This means that even if i setup rules for fail2ban they can do the first connection anyway wasting a little of my server resources.
I want to stop it now, so i decided to do it the bad way:using iptables.

I found an useful script here http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ and I’ve been modifying it in order to make the job for me. Pay attention, if you already have setup iptables rules, if you just execute the script on the page I’ve linked before, you will flush all of your rules. That’s a good reason to use mine 🙂
Also :

    • I added a counter into the loop so you have a perception of what’s going on if you launch it by hand.
    • I added a final line that echoes how many rules have benn created.
    • I made this independent from other existing rules so you don’t have to modify already working scripts.

This very useful shell script will help to download the IP address blocks of the country I’m going to block and then it will recursively create an iptables rules for each block found in the downloaded file.
If you are interested in other world countries ip blocks just visit:http://www.ipdeny.com/ipblocks/

This is the code:

#!/bin/bash
counter=1
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="ru"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

	$IPT -F $SPAMLIST

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
#cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do
	# local zone file
	tDB=$ZONEROOT/$c.zone

	# get fresh zone file
	$WGET -O $tDB $DLROOT/$c.zone

	# country specific log message
	SPAMDROPMSG="$c Country Drop"

	# get 
	BADIPS=$(egrep -v "^#|^$" $tDB)
	for ipblock in $BADIPS
	do
	  $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	  $IPT -A $SPAMLIST -s $ipblock -j DROP
		counter=`expr $counter + 1`
		echo -ne "Adding" $counter\\r
	done
done
echo "ADDED " $counter " IP Address Blocks"

# Drop everything 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

# call your other iptable script
# /path/to/other/iptables.sh

exit 0

You can verify the new created rules typing:

iptables -L -n

Use the “-n” switch to avoid the dns lookup as you are going to create recursively a lot of rules.

That’s all, also if you do

tail -F /var/log/messages

You will se an amount of lines like this:

Jan  2 10:47:29 myserver kernel: [5496150.304711] ru Country DropIN=eth0 OUT= MAC=00:16:3e:54:56:49:00:0d:66:f9:ec:0a:08:00 SRC=95.104.188.169 DST=myserver LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=2422 DF PROTO=TCP SPT=57066 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

If you plan to schedule by cronjob, remember to remove all “echo” lines or to manage them redirecting the output of the command.
If you don’t want a huge messages log then comment the line:

# $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"

as i did.
Any comment is appreciated, Ciao! 

Incoming search terms:

  • iptables mac osx block china ip (14)
  • restrict iptables to countries (2)
  • block china ip addresses iptables (1)
  • block country fail2ban (1)
  • cara melarang negara ke whm kita (1)
  • dd wrt iptables country block (1)
  • ddwrt block foreign incoming ip (1)
  • fail2ban block country (1)
  • iptables block country (1)
(Visited 5,709 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *