How to block IP addresses from a country using IPset
In this tutorial, we’ll cover how we can block large IP ranges using ipset module with iptables. IPset is a command line based utility which is used to administer the framework called IP sets inside the Linux kernel. We will use the Debian operating system for the below explanation.
You can download the IP ranges for a country that you want to block by using the IP2Location Free Visitor Blocker, a free online tool to download the IP addresses of any country for a wide range of formats.
- Install ipset package in your Linux system.
apt install ipset2. Go to https://www.ip2location.com/free/visitor-blocker.
3. Pick a country you wish to block and choose the CIDR format.
4. Download the list and you will get a list of CIDR similar to the below:
31.13.156.64/29
31.13.158.236/30
31.13.159.16/28
34.99.130.0/23
34.99.202.0/23
34.103.146.0/23
34.103.219.0/24
41.57.120.0/22
41.58.0.0/16
41.67.128.0/19
41.67.160.0/20
41.67.176.0/23
41.67.178.0/27
41.67.178.32/28
41.67.178.48/305. Save the list as blockcountry.sh.
6. Run the following command to convert the CIDR into ipset format.
sed -i '/^#/d' blockcountry.sh
sed -i 's/^/ipset add countryblocker /g' blockcountry.sh
sed -i '1i ipset create countryblocker nethash' blockcountry.sh7. The content of blockcountry.sh now should look similar to the below:
ipset create countryblocker nethash
ipset add countryblocker 31.13.156.64/29
ipset add countryblocker 31.13.158.236/30
ipset add countryblocker 31.13.159.16/28
ipset add countryblocker 34.99.130.0/23
ipset add countryblocker 34.99.202.0/23
ipset add countryblocker 34.103.146.0/23
ipset add countryblocker 34.103.219.0/24
ipset add countryblocker 41.57.120.0/22
ipset add countryblocker 41.58.0.0/16
ipset add countryblocker 41.67.128.0/19
ipset add countryblocker 41.67.160.0/20
ipset add countryblocker 41.67.176.0/23
ipset add countryblocker 41.67.178.0/27
ipset add countryblocker 41.67.178.32/28
ipset add countryblocker 41.67.178.48/30ipset create countryblocker nethash ipset add countryblocker 31.13.156.64/29 ipset add countryblocker 31.13.158.236/30 ipset add countryblocker 31.13.159.16/28 ipset add countryblocker 34.99.130.0/23 ipset add countryblocker 34.99.202.0/23 ipset add countryblocker 34.103.146.0/23 ipset add countryblocker 34.103.219.0/24 ipset add countryblocker 41.57.120.0/22 ipset add countryblocker 41.58.0.0/16 ipset add countryblocker 41.67.128.0/19 ipset add countryblocker 41.67.160.0/20 ipset add countryblocker 41.67.176.0/23 ipset add countryblocker 41.67.178.0/27 ipset add countryblocker 41.67.178.32/28 ipset add countryblocker 41.67.178.48/308. Give execution permission to blockcountry.sh and run it.
chmod +x blockcountry.sh
bash blockcountry.sh9. Now the ipset is ready, and we will need to create a iptables rule to block these IP addresses.
iptables -A INPUT -m set --match-set countryblocker src -j DROP10. To make sure the iptables rule persist after a reboot, save the iptables rule.
ipset save > /etc/countryblocker.ipset
iptables-save > /etc/iptables/rules.iptables11. Add the following lines into /etc/rc.local file to make sure these rules are reloaded after a system reboot.
ipset restore < /etc/countryblocker.ipset
iptables-restore < /etc/iptables/rules.iptablesOriginally published at https://blog.ip2location.com on June 9, 2020.
