
Here is a nice bash script that I ran across some time ago, that allows you to import ip ranges into your iptables. To better understand what is happening here, the full script is below, and follows with a break down of what the iptables script is actually doing. (The provider of the country ip ranges is Blogama – be sure and give them a visit.) For your convenience here is a list of the Country Codes to use in this script.
#!/bin/bash ###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE### COUNTRIES="AK,AR" WORKDIR="/root" ####################################### cd $WORKDIR wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES if [ -f iptables-blocklist.txt ]; then iptables -F BLOCKDB="iptables-blocklist.txt" IPS=$(grep -Ev "^#" $BLOCKDB) for i in $IPS do iptables -A INPUT -s $i -j DROP iptables -A OUTPUT -d $i -j DROP done fi rm $WORKDIR/iptables-blocklist.txt |
1st Step of the Bash Script
In this step, you are invoking the bash shell. The ‘COUNTRIES’ variable is a list of country codes that you wish to add to your iptables to block. The full list of countries is available here. Obviously /root is your working directory that the script will do all of it’s work in. You can change this to your common working directory if you have one that you regularly use.
#!/bin/bash ###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE### COUNTRIES="AK,AR" WORKDIR="/root" ####################################### |
2nd Step
Here we are simply changing the current working directory to match the directory variable that we listed above. The next step fetches (via wget) an external url, which is actually a script that will generate a formatted list of the ip ranges for the countries you requested.
cd $WORKDIR wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES |
3rd Step – Meat and Potatoes of the iptables flush
These two lines below check to see if a file already exists from a prior run of the bash script itself. If the file does exist, then it flushes your iptables.
if [ -f iptables-blocklist.txt ]; then iptables -F |
4th Step – Finishing the iptables insert
The last step of this iptable bash script opens the file we created with the ip ranges in it, and for each occurence of a new ip range, it creates a rule in your iptables to drop traffic from those ip ranges. When the script is done, it removes the created text file.
BLOCKDB="iptables-blocklist.txt" IPS=$(grep -Ev "^#" $BLOCKDB) for i in $IPS do iptables -A INPUT -s $i -j DROP iptables -A OUTPUT -d $i -j DROP done fi rm $WORKDIR/iptables-blocklist.txt |
To run the script on your server, simply type bash scriptnamehere.sh, replacing scriptnamehere.sh with whatever it is you choose to call and save the script as. The original file for this script can viewed at HowToForge.
Cory Crampton Reply:
August 27th, 2010 at 5:13 pm
Great question. If you are on a shared server (VPS – Virtuozzo) that limits this , then yes you will certainly run into an issue. This limit can be adjusted, but it’s typically not a good idea in a shared environment. The best way to still get some protection in this instance is to pick the CIDR ranges that seem to be giving you trouble and implement. For example – here is a couple of CIDR outputs for the Phillipines, following the instructions above :
27.50.0.0/22 27.106.216.0/21
[Reply]