How to block country IP

Here we will provide guide how to block whole country. For this example we will block Palestine – from where most VoIP attacks are originating.

DISCLAIMER – we are not against the Palestine or People of Palestine. We are against hackers from Palestine.

 

Install ipset tool:

yum -y install ipset

Download list of IP ranges from http://www.ipdeny.com/ipblocks/data/countries

wget http://www.ipdeny.com/ipblocks/data/countries/ps.zone

Create list in ipset for Palestine IPs:

ipset create palestine hash:net

Import IP list from file to ipset list:

while read LINE; do ipset add palestine $LINE; echo -ne $LINE ' \r'; done < ps.zone

Add rule to iptables, which instructs to drop packets coming from IPs within list:

iptables -I INPUT -m set --match-set palestine src -j DROP

Configuration is completed.

You can repeat same for other countries. By replacing “ps” with two letters code of other country (visit http://www.ipdeny.com/ipblocks/data/countries to see whole list). Also replacing “palestine” name to name of other country.

NOTE: configuration needs to be repeated after server reboot.

2 Comments How to block country IP

  1. Sokol

    Hi, Question: is it possible to allow only 1 country IP block by simply adding ACCEPT instead that DROP in iptables rule?
    es. # iptables -I INPUT -m set –match-set palestine src -j ACCEPT

    Reply
  2. Nerijus

    Hello,
    Yes, it is possible. If you like to allow one country only, then you can add such rule and then add “DROP everything” in the end of INPUT chain.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *