Home > Code > Blocking Countries To Your Website With iptables

Blocking Countries To Your Website With iptables

by Patrick Crampton ( @codecrunch ) UPDATED  May,23 2016
6
5 Views
28


Here is a nice bash script that I ran across some time ago, that allows you to import ip ranges into your iptables. To better understand what is happening here, the full script is below, and follows with a break down of what the iptables script is actually doing. (The provider of the country ip ranges is Blogama – be sure and give them a visit.) For your convenience here is a list of the Country Codes to use in this script.

#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

1st Step of the Bash Script

In this step, you are invoking the bash shell. The ‘COUNTRIES’ variable is a list of country codes that you wish to add to your iptables to block. The full list of countries is available here. Obviously /root is your working directory that the script will do all of it’s work in. You can change this to your common working directory if you have one that you regularly use.

#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################

2nd Step

Here we are simply changing the current working directory to match the directory variable that we listed above. The next step fetches (via wget) an external url, which is actually a script that will generate a formatted list of the ip ranges for the countries you requested.

cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES

3rd Step – Meat and Potatoes of the iptables flush

These two lines below check to see if a file already exists from a prior run of the bash script itself. If the file does exist, then it flushes your iptables.

if [ -f iptables-blocklist.txt ]; then
  iptables -F

4th Step – Finishing the iptables insert

The last step of this iptable bash script opens the file we created with the ip ranges in it, and for each occurence of a new ip range, it creates a rule in your iptables to drop traffic from those ip ranges. When the script is done, it removes the created text file.

  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

To run the script on your server, simply type bash scriptnamehere.sh, replacing scriptnamehere.sh with whatever it is you choose to call and save the script as. The original file for this script can viewed at HowToForge.

Post Views: 5,341



Author

Patrick Crampton

Patrick (Cory) Crampton has been in the Web Development and Design field for 20 years. He enjoys guitar, anything web, and running his own webmaster for hire service. He’s the chief editor of CodeCrunch and owner of several other niche market websites. He's worked for Google Answers, the U.S. Marine Corps, and is lead developer for many high profile websites.

Read Next
6 Comments

shulato
August 27, 2010 at 4:18 am
Reply

i tried to capture the US and PH. i got 43000 of entries. meaning your script will do 43000 of “iptables -A INPUT -s $i -j DROP”?
is this won’t hit the numiptent limit of the server and result in an error?

[Reply]

Cory Crampton Reply:
August 27th, 2010 at 5:13 pm

Great question. If you are on a shared server (VPS – Virtuozzo) that limits this , then yes you will certainly run into an issue. This limit can be adjusted, but it’s typically not a good idea in a shared environment. The best way to still get some protection in this instance is to pick the CIDR ranges that seem to be giving you trouble and implement. For example – here is a couple of CIDR outputs for the Phillipines, following the instructions above :


27.50.0.0/22 27.106.216.0/21

[Reply]


Sam
January 19, 2011 at 7:29 pm
Reply

I am setting up above script, but the domain which are fetching the country detail is not working.

wget -c –output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES

http://blogama.org/country_query.php

Above link is not working.

Can anyone let me know if the domain is changed or any other way to make script working?

Thanks in advance.

[Reply]

Cory Crampton Reply:
January 19th, 2011 at 11:38 pm

Sorry – that site is no longer available, and I do not know right away if there is another site that works using similar methods. I will post back here with what I can find. Thanks!

[Reply]

Sam Reply:
January 21st, 2011 at 7:48 pm

Thanks for the response.

If you have an idea what kind of response that site was returning then let me know.
We can think over it.

Please let me know your thoughts.

Thanks.

[Reply]


Piyush
July 15, 2012 at 12:44 pm
Reply

Thanx man that’s works fine on my site

[Reply]


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This post has been marked as legacy. This means the data might be outdated. Where practical – please use our site search to find a newer, related article to ensure accuracy.

You are reading
Blocking Countries To Your Website With iptables
Share 6 Comments