stop_hammertime_sm

Blocking Countries To Your Website With iptables

If you manage your own server, you know the pains of a Denial of Service attack, or the annoying trappings of continual spam from the same countries. This little free bash script will allow you to block an entire country from your server using iptables.

Here is a nice bash script that I ran across some time ago, that allows you to import ip ranges into your iptables. To better understand what is happening here, the full script is below, and follows with a break down of what the iptables script is actually doing. (The provider of the country ip ranges is Blogama – be sure and give them a visit.) For your convenience here is a list of the Country Codes to use in this script.

#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

1st Step of the Bash Script

In this step, you are invoking the bash shell. The ‘COUNTRIES’ variable is a list of country codes that you wish to add to your iptables to block. The full list of countries is available here. Obviously /root is your working directory that the script will do all of it’s work in. You can change this to your common working directory if you have one that you regularly use.

#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################

2nd Step

Here we are simply changing the current working directory to match the directory variable that we listed above. The next step fetches (via wget) an external url, which is actually a script that will generate a formatted list of the ip ranges for the countries you requested.

cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES

3rd Step – Meat and Potatoes of the iptables flush

These two lines below check to see if a file already exists from a prior run of the bash script itself. If the file does exist, then it flushes your iptables.

if [ -f iptables-blocklist.txt ]; then
  iptables -F

4th Step – Finishing the iptables insert

The last step of this iptable bash script opens the file we created with the ip ranges in it, and for each occurence of a new ip range, it creates a rule in your iptables to drop traffic from those ip ranges. When the script is done, it removes the created text file.

  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

To run the script on your server, simply type bash scriptnamehere.sh, replacing scriptnamehere.sh with whatever it is you choose to call and save the script as. The original file for this script can viewed at HowToForge.