Welcome to My Site

Subscribe to this RSS feed
Monday, 27 July 2015 23:50

Blocking China and other countries from accessing your servers

So I wanted to create a simple script which I could load onto all of my Linux webservers, from Ubuntu to CentOS. Here is the code I found to work relatively well:

#remove existing rule to purge old IP's, download IP's from ipdeny.com, load IP's into "geoblocks" ipset, re-add iptables rule and re-start fail2ban
#this is to get the "geoblocks" rule at the top of the list so that it can be deleted in the next line
service iptables restart
#delete the "geoblocks" rule from iptables
iptables -D INPUT 1
#purge the "geoblocks" ipset
ipset destroy geoblocks
#re-establish the "geoblocks" ipset
ipset create geoblocks hash:net
#remove old .zone files
rm *.zone
#set variables
iso="af kp kr cn cu ir iq in jp ru tw br ro it hu tr"
#root of ip list zone files
dlroot="http://www.ipdeny.com/ipblocks/data/countries"
#download the .zone files
for c in $iso; do wget $dlroot/$c.zone; done
#load all .zone files into one
cat *.zone > blocks.zone
#load list of IP's just created into the "geoblocks" ipset
for i in $(cat blocks.zone); do ipset add geoblocks $i; done
#re-establish iptables rule
iptables -I INPUT -m set --match-set geoblocks src -j DROP
service fail2ban restart

This script of course requres iptables and ipset to be installed and working properly. Add this script in a cron job set to update once a week, and you'll always have the latest list of country's IP's blocked at the firewall level.

Note that I restart iptables at the beginning to get the geoblocks rule at the top due to fail2ban placing rules above the one that I need to remove, then the rule is deleted so we can delete the geoblocks ipset, the ipset geoblocks is deleted to flush the old IP's, and then re-loaded from source (ipdeny.com). At the end, fail2ban is restarted to re-establish all the iptables rules that it creates.

This should also work on any Linux based firewall gateway appliance. NetArmor

Published in Blog
Read more...

From the Blog

  • G Suite Public Email Group
    Written by
    G Suite can be a bit confusing sometimes, but fear not, here is a quick guide to set your group up as an email list. I'm sure there is an official guide somewhere, but I was unable to find a definitive, official source for this information. First create your group, I usually select "Restricted" as the access level to ensure the group is not a public forum. Next set your group access as follows to allow for public posting: Next just to double check, go to the group moderation settings (link at the bottom of the g-suite group settings page,…
    Written on Friday, 11 January 2019 18:26 in Blog
    Tags: G SUITE GOOGLE GOOGLE MAIL GOOGLE ADMIN PUBLIC EMAIL PUBLIC GROUP
  • Blocking China and other countries from accessing your servers
    Written by
    So I wanted to create a simple script which I could load onto all of my Linux webservers, from Ubuntu to CentOS. Here is the code I found to work relatively well: #remove existing rule to purge old IP's, download IP's from ipdeny.com, load IP's into "geoblocks" ipset, re-add iptables rule and re-start fail2ban#this is to get the "geoblocks" rule at the top of the list so that it can be deleted in the next lineservice iptables restart#delete the "geoblocks" rule from iptablesiptables -D INPUT 1#purge the "geoblocks" ipsetipset destroy geoblocks#re-establish the "geoblocks" ipsetipset create geoblocks hash:net#remove old .zone filesrm…
    Written on Monday, 27 July 2015 23:50 in Blog
    Tags: LINUX FIREWALL HACKING SECURITY SECURITY HARDENING HARDEN SERVER SECURITY
  • New Sites
    Written by
    New Sites So I've been busy the last few months with various projects, including but definitely not limited to the following pages for incredible individuals. Pure Genetics website. Working with the incredible physique athlete, Travis Harris was a pleasure, and we both walked away from this project knowing a little more. Visit his site at puregeneticsfitness.com.                           Next we have the incredibly talented Julia James and her page juliajamesmusic.com. Go check her out and all of her great music. She is definitely a name to keep an eye on, this gal…
    Written on Friday, 30 May 2014 00:00 in Blog
    Tags: website
  • Introducing: NetArmor
    Written by
    Introducing: NetArmor NetArmor, my newest creation. From concept to completion and everything in between. www.netarmor.bz
    View the embedded image gallery online at:
    http://www.andrewg.us/itemlist/tag/LINUX#sigProId51db570cf9
    Written on Saturday, 01 March 2014 00:18 in Blog
    Tags: website branding
  • Women are crazy
    Written by
    Women are crazy Anyone ever dated this woman? I've dated her a couple times. They push you away and wonder why you get all "weird" when you wonder what's up. Then it's YOU who's unreasonable. Funny stuff here people! Got to laugh or else you'll cry.  
    Written on Tuesday, 25 February 2014 17:10 in Blog
    Tags: rant PERSONAL STUFF WOMEN
Back to top