If you manage your own server, you know the pains of a Denial of Service attack, or the annoying trappings of continual spam from the same countries. This little free bash script will allow you to block an entire country from your server using iptables.
Here is a nice bash script that I ran across some time ago, that allows you to import ip ranges into your iptables. To better understand what is happening here, the full script is below, and follows with a break down of what the iptables script is actually doing. (The provider of the country ip ranges is Blogama – be sure and give them a visit.) For your convenience here is a list of the Country Codes to use in this script.
#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
iptables -F
BLOCKDB="iptables-blocklist.txt"
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
fi
rm $WORKDIR/iptables-blocklist.txt1st Step of the Bash Script
In this step, you are invoking the bash shell. The ‘COUNTRIES’ variable is a list of country codes that you wish to add to your iptables to block. The full list of countries is available here. Obviously /root is your working directory that the script will do all of it’s work in. You can change this to your common working directory if you have one that you regularly use.
#!/bin/bash ###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE### COUNTRIES="AK,AR" WORKDIR="/root" #######################################
2nd Step
Here we are simply changing the current working directory to match the directory variable that we listed above. The next step fetches (via wget) an external url, which is actually a script that will generate a formatted list of the ip ranges for the countries you requested.
cd $WORKDIR wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
3rd Step – Meat and Potatoes of the iptables flush
These two lines below check to see if a file already exists from a prior run of the bash script itself. If the file does exist, then it flushes your iptables.
if [ -f iptables-blocklist.txt ]; then iptables -F
4th Step – Finishing the iptables insert
The last step of this iptable bash script opens the file we created with the ip ranges in it, and for each occurence of a new ip range, it creates a rule in your iptables to drop traffic from those ip ranges. When the script is done, it removes the created text file.
BLOCKDB="iptables-blocklist.txt"
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
fi
rm $WORKDIR/iptables-blocklist.txtTo run the script on your server, simply type bash scriptnamehere.sh, replacing scriptnamehere.sh with whatever it is you choose to call and save the script as. The original file for this script can viewed at HowToForge.
6 Responses
i tried to capture the US and PH. i got 43000 of entries. meaning your script will do 43000 of “iptables -A INPUT -s $i -j DROP”?
is this won’t hit the numiptent limit of the server and result in an error?
[Reply]
Cory Crampton Reply:
August 27th, 2010 at 5:13 pm
Great question. If you are on a shared server (VPS – Virtuozzo) that limits this , then yes you will certainly run into an issue. This limit can be adjusted, but it’s typically not a good idea in a shared environment. The best way to still get some protection in this instance is to pick the CIDR ranges that seem to be giving you trouble and implement. For example – here is a couple of CIDR outputs for the Phillipines, following the instructions above :
27.50.0.0/22 27.106.216.0/21
[Reply]
I am setting up above script, but the domain which are fetching the country detail is not working.
wget -c –output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
http://blogama.org/country_query.php
Above link is not working.
Can anyone let me know if the domain is changed or any other way to make script working?
Thanks in advance.
[Reply]
Cory Crampton Reply:
January 19th, 2011 at 11:38 pm
Sorry – that site is no longer available, and I do not know right away if there is another site that works using similar methods. I will post back here with what I can find. Thanks!
[Reply]
Sam Reply:
January 21st, 2011 at 7:48 pm
Thanks for the response.
If you have an idea what kind of response that site was returning then let me know.
We can think over it.
Please let me know your thoughts.
Thanks.
[Reply]
Thanx man that’s works fine on my site
[Reply]