Home Linux Basics Block IP in iptables based on country code
Linux Basics

Block IP in iptables based on country code

by Bella
written by Bella

It is very easy to block IP (country wise) with the help of CSF the default firewall from Cpanel.But it is not the case when we try with IPTables.

In this blog I will try to demonstrate how to Block IP from a certain country with the help of IPtables.For example purpose I choose Afghanistan and China.

I will give step by step instruction to install and automate the scrtipt given below.

#!/bin/bash
# Purpose: Block all traffic from AFGHANISTAN (af) and CHINA (CN).

Use ISO code. #
# ——————————————————————————-
ISO=”af cn”
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
### No editing below ###
SPAMLIST=”countrydrop”
ZONEROOT=”/root/iptables”
DLROOT=”http://www.ipdeny.com/ipblocks/data/countries”
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
# clean old rules
cleanOldRules
# create a new iptables list
$IPT -N $SPAMLIST
for c in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone
# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone
# country specific log message
SPAMDROPMSG=”$c Country Drop”
# get
BADIPS=$(egrep -v “^#|^$” $tDB)
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix
“$SPAMDROPMSG”
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
done
# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
# call your other iptable script
# /path/to/other/iptables.sh
exit 0

Step 1

Save above script as root user and customize ISO variable to point out country name using ISO country names. Once done install the script as follows using crontab

# @weekly /path/to/country.block.iptables.sh

To start blocking immediately type:

# /path/to/country.block.iptables.sh

Step 2

Another, alternative to above shell script is to use geoip iptables patch. This is not standard iptables modules. You need to download patch and compile Linux kernel.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

How to Enable and Configure Network Bonding in...

CentOS-7 : Commands and Configuration files

CentOS 7.x and CentOS 8.x.

Network configuration in Ubuntu 18.04 LTS using netplan

Super Computing with Block-chain Technology

Network File System ( NFS ) on CentOS...

Zend OpCache

External Authentication Techniques Available With cPanel

Configuring cPHulk via WHM & command line

​Installation and configuration of ‘Pyxsoft Antimalware’ in cPanel...

Leave a Comment

CONTACT US

Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015
USA

©2022  SupportPRO.com. All Rights Reserved

X-twitter Facebook Linkedin Rss