Posted in Bash Iptables Linux Scripts Security

Script : ban a country under iptables

January 16, 2006 - 11 comments

Let’s say you want to completely ban a country from accessing your servers..
E.g. : countries that have very shallow internet laws

Note : in regards to Epe’s comment, this article has been updated with a newer script, which should be doing a better job. Please drop me a comment, I’d love to hear feedback !

This script will parse the RIPE database and generate the iptables rules automatically..

Download the script here : http://www.wains.be/pub/update_country_block_list

The output would look like this :

-A INPUT -s 62.217.192.0/18 -m state --state NEW -j DROP
-A INPUT -s 62.231.64.0/18 -m state --state NEW -j DROP
-A INPUT -s 80.74.48.0/20 -m state --state NEW -j DROP

Or like this if you just want blocks :

62.217.192.0/18
62.231.64.0/18
80.74.48.0/20

You can use the output with iptables or any other firewall

Comments

John

May 7, 2006 - 23:11

This script would be perfect if it ran.

After stripping out the useless slashes (stripslashes() anybody? :) ), I managed to at least grab the list from RIPE, but it still produces an error in the regexp.

root@server [~]# ./ips.sh
Downloading the database from RIPE servers…
rm: cannot lstat `/tmp/iptables-drop-’: No such file or directory
Now parsing the database…
Saving country databases under :
sed: -e expression #1, char 81: Unknown option to `s’
/tmp/iptables-drop-RO

epe

December 28, 2006 - 17:22

The script to be downloaded is not the same as the one you expose in your page.

Check this line:

grep \”$country\” | \

In the script you wrote: COUNTRY instead of country

therefore the error mentioned in the comment above.

regards
epe

Sébastien Wains

January 26, 2007 - 11:13

Please note a new version of the script has been uploaded since epe’s comment.

Feel free to send some feedback about the new one

f* u

May 21, 2007 - 21:49

i h8 u c*, ur one of the reasons i cant get msn in school wat did we eva do to u

Sébastien Wains

May 21, 2007 - 22:12

I’m gonna answer the latest comment posted to this article. It has been slightly moderated, some words were simply not appropriate.

1. this article was about blocking a country from reaching your Linux machine, you’re actually probably refering to this one : http://www.wains.be/index.php/2006/05/16/block-msn-and-other-messengers-on-your-network/

2. if you were wiser (and probably a bit older) you would contact me, asking for ways to bypass the restrictions in place. Hate will not help you reach your goal. Of course, in no way I would help you, if it’s not asked for the sake of learning how stuff works.

3. Your school admins decided to block MSN at your school, not me. They probably have their reason. And I don’t believe they’ve waited for my insight on the subject to start prohibiting MSN on their network.

4. This was my first hate comment.
217 happy customers.
1 angry customer.

Pretty good ratio, eh ?

Peace m8 ! :-)

al750n

July 30, 2007 - 5:39

Very usefull I think :-) .. Give you this link (http://okean.com/sinokoreacidr.txt) to list chinese and korean net blocks .. May be this is usefull if you want to block spam mail that coming from this country .. :-D

sizor

September 13, 2007 - 17:49

hi.

i want to ban all countrys except one “portugal”
how can i give permission to only pt access?

pbr

October 17, 2007 - 3:35

Thanks for the work writing the script.

I think there was an extra slash in one line:

Changed this line
/usr/bin/wget -v –progress=bar ${LINK}/${FILE} -O ${TMP}/db_${COUNTRY}

to this
/usr/bin/wget -v –progress=bar ${LINK}${FILE} -O ${TMP}/db_${COUNTRY}

That got rid of one error but still I’m not getting a list of ip blocks. Looking at http://ftp.apnic.net/stats/apnic/assigned-apnic-latest I can’t spot ip blocks or how to extract them.

pbr

October 17, 2007 - 5:58

OK, think there’s another line that needs to be changed:
FILE=”apnic/assigned-apnic-latest”

should be:
FILE=”apnic/delegated-apnic-latest”

and I needed to add to the beginning of the piped sed command “s/(apnic\||”

I was looking to block mail from the Philippines but after geting 52,000 lines, I’m not going to do it.

pcrack

February 22, 2008 - 4:11

hi theres a module on IPTABLES called geoip to block by country. check it.

Sébastien Wains

February 22, 2008 - 21:33

Thanks pcrack.
Here’s the link for anyone interested : http://people.netfilter.org/~peejix/geoip/

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.