Welcome to My Site

Written by  Andrew Gould
27 July 2015

Blocking China and other countries from accessing your servers

So I wanted to create a simple script which I could load onto all of my Linux webservers, from Ubuntu to CentOS. Here is the code I found to work relatively well:

#remove existing rule to purge old IP's, download IP's from ipdeny.com, load IP's into "geoblocks" ipset, re-add iptables rule and re-start fail2ban
#this is to get the "geoblocks" rule at the top of the list so that it can be deleted in the next line
service iptables restart
#delete the "geoblocks" rule from iptables
iptables -D INPUT 1
#purge the "geoblocks" ipset
ipset destroy geoblocks
#re-establish the "geoblocks" ipset
ipset create geoblocks hash:net
#remove old .zone files
rm *.zone
#set variables
iso="af kp kr cn cu ir iq in jp ru tw br ro it hu tr"
#root of ip list zone files
dlroot="http://www.ipdeny.com/ipblocks/data/countries"
#download the .zone files
for c in $iso; do wget $dlroot/$c.zone; done
#load all .zone files into one
cat *.zone > blocks.zone
#load list of IP's just created into the "geoblocks" ipset
for i in $(cat blocks.zone); do ipset add geoblocks $i; done
#re-establish iptables rule
iptables -I INPUT -m set --match-set geoblocks src -j DROP
service fail2ban restart

This script of course requres iptables and ipset to be installed and working properly. Add this script in a cron job set to update once a week, and you'll always have the latest list of country's IP's blocked at the firewall level.

Note that I restart iptables at the beginning to get the geoblocks rule at the top due to fail2ban placing rules above the one that I need to remove, then the rule is deleted so we can delete the geoblocks ipset, the ipset geoblocks is deleted to flush the old IP's, and then re-loaded from source (ipdeny.com). At the end, fail2ban is restarted to re-establish all the iptables rules that it creates.

This should also work on any Linux based firewall gateway appliance. NetArmor

5 comments

  • Wonderful work! This is the type of info that are
    supposed to be shared around the net. Shame on the
    search engines for now not positioning this
    publish upper! Come on over and seek advice from my
    web site . Thank you =)

  • Hi there, I read your blog on a regular basis. Your humoristic style is
    witty, keep it up!

  • Greate article. Keep writing such kind of info on your blog.
    Im really impressed by your site.
    Hello there, You've done a great job. I'll certainly digg it and individually suggest to
    my friends. I am sure they'll be benefited from this website.

    Remona 05 January 2016 Remona
    Comment Link
  • Really when someone doesn't be aware of then its up to other viewers that they will help, so here it occurs.

  • I would like to thank you for the efforts you've put in writing thbis blog.
    I really hope too check out the same high-grade content by you later
    on as well. In truth, your creative writing abilities has encouraged
    me to get my very ownn website now ;)

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Back to top