Home \ Linux \ Block all countries except the USA in iptables script

Block all countries except the USA in iptables script

quickly add ip address range in linux

Pulls all ISO country codes except for the US and populates iptables with ALL ranges in those countries automatically.

Setup a cron job (/etc/crontab) to run every week:

 

Create /usr/local/bin/isoCodeBockIptables.sh with the following code:

#################

#!/bin/bash
### BACKUP THE CURRENT RULESET FIRST
/sbin/iptables-save > /backup/iptables-last.txt

### Block all traffic from everywhere except the US. Use ISO code ###
ISO="af au al dz aq br ar cn lb my ly lr la jp jm jo kz ke hk ml mx fm md mc mn ms ma mz mm nr na np nl an nc nz ni ne ng nu nf mp no om pk pw pa pg py pe ph pn pl pt pr qa re ro ru rw kn lc vc ws sm st sn sa sc sl sg sk si sb so za gs es lk sh pm sd sr sj sz se ch sy tw tj tz th tg tk to tt tn tr tm tc tv ug ua ae gb um uy uz vu ve vn vg vi wf eh ye yu zm zw ie in il ir hn"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/etc/sysconfig/iptables-countrydrop"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone

# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone

# country specific log message
SPAMDROPMSG="$c Country Drop"

# get
BADIPS=$(egrep -v "^#|^$" $tDB)
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
done

# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

### ADD IN OTHER IMPORTANT RULESETS
/sbin/iptables-restore < /etc/sysconfig/iptables-static-rules.conf

exit 0

 

7 comments

  1. You forgot au – Australia

  2. I think that is a better idea to just allow one country instead of drop all others

    • That’s assuming all the IP blocks listed for the US are correct. Although it makes sense, I see why you’d do the opposite.

  3. Holy crap this takes a while to create. What takes even longer? doing an iptables -L after you run this script! I’d say it’ll take an hour to output all the lines in there.

  4. Try iptables -L -n for numeric values only.

  5. You need to get regular updated list if you don’t want to have false-positive in blocking.

    You can export the free list from http://www.ip2location.com/free/visitor-blocker

Leave a Reply

Your email address will not be published. Required fields are marked *