Blocking traffic from specific countries using iptables can be challenging, as iptables primarily operates based on IP addresses and not on geographical locations. However, you can achieve country-level blocking by using IP address ranges associated with specific countries.
We’re going to use the ipset tool in combination with iptables to block traffic from specific countries.
Here’s a general outline of how you can accomplish this:
Install ipset
ipset is a utility in Linux that allows you to create, manage, and manipulate IP sets. IP sets are data structures that store multiple IP addresses, IP ranges, or MAC addresses and can be used efficiently by certain iptables modules. IP sets are particularly useful for managing large lists of IP addresses, making it more efficient and faster to match and filter network traffic.
To install ipset, run the following command:
sudo apt-get update
sudo apt-get install ipsetDownload Country IP Ranges
Use a service or tool that provides IP address ranges for the countries you want to block. One such service is ipdeny.com, where you can download IP ranges by country.
For example, the following command will download IP ranges for the United States:
wget http://www.ipdeny.com/ipblocks/data/countries/us.zoneHere’s a table with countries and their associated URLs for downloading IP ranges:
| Country | Download URL |
|---|---|
| United States | US – United States |
| Canada | CA – Canada |
| United Kingdom | GB – United Kingdom |
| Germany | DE – Germany |
| Australia | AU – Australia |
| India | IN – India |
| Japan | JP – Japan |
| Brazil | BR – Brazil |
| South Africa | ZA – South Africa |
| China | CN – China |
Create an ipset rule
The following command creates an IP set named “myset” using the ipset utility with a hash table structure specifically designed for storing IPv4 or IPv6 addresses. This set, once created, can be utilized within iptables rules to efficiently manage and filter network traffic based on IP addresses.
sudo ipset create myset hash:ipThe “hash:ip” specification indicates that the set will store individual IP addresses, and this command sets up the initial framework for organizing and manipulating a collection of IP addresses within the defined IP set, facilitating streamlined integration with iptables for firewall configuration.
Load IP ranges for the specified country
Now, we need to load IP ranges to the created ipset. The IP ranges belong to a country you would like to block.
In this example, we’re blocking IP addresses from the United States
sudo ipset add myset $(cat us.zone | awk '{print $1}')The above command adds individual IP addresses from a file named “us.zone” into an existing IP set named “myset” using the ipset utility in a Linux environment.
Replace us.zone with the file containing the IP ranges for the desired country.
Add the iptables rule to block the country
Finally, we can block the country based on its IP ranges. In this example, we’re setting the iptables rule to block IP ranges from the United States:
sudo iptables -A INPUT -m set --match-set myset src -j DROPThe above command appends a rule to the INPUT chain of the iptables firewall on a Linux system, instructing it to drop incoming network traffic from source IP addresses present in the specified IP set named “myset.” The rule leverages the set iptables module, allowing efficient matching against a predefined IP set. If a packet’s source IP matches an entry in the “myset” IP set, the rule takes the action specified by “-j DROP,” causing the packet to be discarded, thereby blocking incoming connections from the IP addresses stored in the set. This approach offers a streamlined method for managing and implementing access control based on a predefined collection of IP addresses within iptables configurations.
Save the changes to ensure they persist across reboots.
sudo service iptables saveOr on some systems:
sudo iptables-save > /etc/iptables/rules.v4Remember that this approach has limitations and may not be foolproof, as IP ranges associated with countries can change. Additionally, blocking traffic based on geographical location might have unintended consequences due to the use of VPNs or proxy servers.
Consider carefully whether country-level blocking aligns with your security and access requirements, and always monitor and update the IP address ranges as needed. Additionally, using specialized services or firewalls designed for this purpose may provide more accurate and reliable results.
