Block IP traffic from specified countries (geoblocking) (by damian)

Many (brute force) attacks and port scans are coming from countries your server is usually not dealing with anyway. It might be a good solution implement some kind of geoblocking for specifies countries and drop network traffic from those at all using  iptables (and ipset).

In short ipset can be a supeb tool in combination with iptables when you need to apply rules to extended lists of ip addresses and networks. Instead of messing up iptables with hundrets of (almost similar) rules, it can be done with a single rule in iptables for a defined ipset list. This solutions will also outperform iptables-only solutions.

Install ipset package (debian/ubuntu/..):

 $ apt-get install ipset

Use something like this script to insert ipset/iptables rules:

#!/bin/bash
#
# geoblock countries
#
# CONFIG BEGIN

IPSET=/sbin/ipset
IPTBL=/sbin/iptables
TAR=/bin/tar
WGET=/usr/bin/wget

# countries to block
if [ $# -eq 0 ]
    then
        echo "No arguments supplied"
        echo "Usage:   $0 [country_code[s]]"
        echo "Example: $0 cn pk ru"
        exit 1
fi

BLISO="$@"
#BLISO="cn pk"
#BLISO="ae af ag ai al am ao ap ar as au aw az ba bb bd bf bg bh bi bj bl bm bn bo bq br bs bt bw by bz ca cd cf cg ci ck cl cm cn co cr cu cv cw cy cz \
#	dj dm do dz ec ee eg er et fj fm fo ga gd ge gf gg gh gi gl gm gn gp gq gr gt gu gw gy hk hn hr ht hu id ie il im in io iq ir \
#	je jm jo jp ke kg kh ki km kn kp kr kw ky kz la lb lc lk lr ls lt lu lv ly ma mc md me mf mg mh mk ml mm mn mo mp mq mr ms mt mu mv mw mx my mz \
#	na nz ne nf ng ni np nr nu nz om pa pe pf pg pk pl pm pr ps pt pw py qa re ro rs ru rw sa sb sc sd se si sk sl sm sn so sr ss st sv sx sy sz \
#	tc td tg th tj tk tl tm tn to tr tt tv tw tz ua ug uy uz va vc ve vg vi vn vu wf ws ye yt za zm zw"

# ipset name prefix
IPSETPREFIX="geoblock"

# working directory
ZONEROOT="/tmp/geoblock"

# zones file to download
ALLZDL="http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz"
#DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

# CONFIG END

if [ "$EUID" -ne 0 ]
    then 
        echo "Please run as root"
        exit 2
fi

# create a working dir if not exist
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
cd $ZONEROOT

# download zones
[ -f all-zones.tar.gz ] && rm all-zones.tar.gz
$WGET -q -N $ALLZDL
$TAR xfz all-zones.tar.gz

for c in $BLISO
do
    # local zone file
    tDB=$c.zone

    # get fresh zone file
    #$WGET -q -N -P $ZONEROOT/ $DLROOT/$c.zone

    # get 
    BADIPS=$(egrep -v "^#|^$" $tDB)

    # create ipset for zone
    $IPSET create $IPSETPREFIX-$c hash:net -!

    # add ips to the ipset
    for ipblock in $BADIPS
    do
    	$IPSET add $IPSETPREFIX-$c $ipblock -exist
    done

    # iptables -I INPUT -m set --match-set XXX src -j DROP
    $IPTBL -D INPUT -m set --match-set $IPSETPREFIX-$c src -j DROP > /dev/null 2>&1
    $IPTBL -I INPUT -m set --match-set $IPSETPREFIX-$c src -j DROP

done

#EoF

This script script example takes the crountry codes as command line arguments:

 $ ./geoblock.sh cn pk ru

This example would block all ip addresses from China (cn), Pakistan (pk) and Russia (ru).