in

Block all countries except the USA in iptables script

quickly add ip address range in linux

Pulls all ISO country codes except for the US and populates iptables with ALL ranges in those countries automatically.

Setup a cron job (/etc/crontab) to run every week:

 

Create /usr/local/bin/isoCodeBockIptables.sh with the following code:

#################

#!/bin/bash
### BACKUP THE CURRENT RULESET FIRST
/sbin/iptables-save > /backup/iptables-last.txt

### Block all traffic from everywhere except the US. Use ISO code ###
ISO="af au al dz aq br ar cn lb my ly lr la jp jm jo kz ke hk ml mx fm md mc mn ms ma mz mm nr na np nl an nc nz ni ne ng nu nf mp no om pk pw pa pg py pe ph pn pl pt pr qa re ro ru rw kn lc vc ws sm st sn sa sc sl sg sk si sb so za gs es lk sh pm sd sr sj sz se ch sy tw tj tz th tg tk to tt tn tr tm tc tv ug ua ae gb um uy uz vu ve vn vg vi wf eh ye yu zm zw ie in il ir hn"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/etc/sysconfig/iptables-countrydrop"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone

# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone

# country specific log message
SPAMDROPMSG="$c Country Drop"

# get
BADIPS=$(egrep -v "^#|^$" $tDB)
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
done

# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

### ADD IN OTHER IMPORTANT RULESETS
/sbin/iptables-restore < /etc/sysconfig/iptables-static-rules.conf

exit 0

What do you think?

0 points
Upvote Downvote

7 Comments

Leave a Reply
    • That’s assuming all the IP blocks listed for the US are correct. Although it makes sense, I see why you’d do the opposite.

  1. Holy crap this takes a while to create. What takes even longer? doing an iptables -L after you run this script! I’d say it’ll take an hour to output all the lines in there.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Senator Adam Kline (D)

Washington State Libs want to search Gun Owners Homes

Ammunition that is loaded with copper jacketed hollow points

Ammo Act takes aim at DHS