Home > Uncategorized > Blocking country IP tables using our data blocks and ipset utility

Blocking country IP tables using our data blocks and ipset utility

Just browsing around the Internet today I found a nice howto document explaining how to set-up our country IP block data with ipset utility. Ipset utility offers much higher performance than standard iptables rules (one IP range – one record, e.g. 10.1.1.0/16 for example).

Update: August 18th, 2012.
Thanks to our visitor comments we checked itech7 site and it’s registration was expired. We will probably come up with another reference/site shortly.

Categories: Uncategorized Tags:
  1. Greg
    August 22nd, 2012 at 13:39 | #1

    this blog shows a way:
    http://www.magentomod.com/blog.php

    Blocking IPs by country using IPSet and IPTables

    Jul 28, 2012 MagenX Magento Server Optimization
    What is IPSet? IPSet basically allows you to store multiple IP addresses and/or ports in a table and match across all of them at once. The table seeks are much faster than using individual IPTables rules. IPSet framework is included in 2.6.x kernels and CentOS 6 by default.
    For Centos 6.3 and kernel > 2.6.34 use latest IPset > 6.7.
    Installing IPSet, kmod-ipset, patched iptables for CentOS 5:

    rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/ipset-4.5-1.el5.x86_64.rpm
    rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/kmod-ipset-4.5-1.el5.x86_64.rpm
    rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/iptables-1.3.5-5.6.1.el5.x86_64.rpm

    Our objective is to block China(cn) Korea(kr) Taiwan(tw) Pakistan(pk) Singapore(sg) HongKong(hk) Peru(pe). ~60K entries
    Here we are using nethash set type because the IP database at ipdeny.com which we will be using to block IPs provides IPs in IP-Address/CIDR-length form which is supported only by nethash.

    Creating IPset:

    ipset -N geoblock nethash
    for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,kr,pk,tw,sg,hk,pe}.zone)
    do
    ipset -A geoblock $IP
    done

    Matching against the IPSet in IPTables:

    iptables -A INPUT -m set –set geoblock src -j DROP

    Now connections from all IPs that exist in the set geoblock will be blocked.

  2. Nirms
    September 3rd, 2012 at 13:11 | #2

    yes, i was looking for this but all links in google just dead.
    it really works! i was checking over here
    http://www.websitepulse.com/help/testtools.china-test.html
    http://www.greatfirewallofchina.org

    lol no dumb bots anymore.

    thanks

  3. Nirms
    September 3rd, 2012 at 13:34 | #3

    direct link

    http://www.magentomod.com/blog.php#Blocking IPs by country using IPSet and IPTables

  4. Conrad
    December 15th, 2012 at 05:46 | #4

    I get:

    Applying iptables firewall rules: iptables-restore v1.3.5: Couldn’t load match `set’:/lib64/iptables/libipt_set.so: cannot open shared object file: No such file or directory

    after using set in the rule.

    /lib64/iptables/libipt_set.so does in fact not exists.

  5. pascal
    April 11th, 2013 at 03:12 | #5

    Can I do this:

    ipset -N geoblock_eu_us nethash
    for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{fr,de,nl,be,us,}.zone)
    do
    ipset -A geoblock_eu_us $IP
    done
    Matching against the IPSet in IPTables:
    iptables -A INPUT -m set –set !geoblock_eu_us src -j DROP

  6. Ipdeny
    June 2nd, 2013 at 22:33 | #6

    Pascal, feel free to do it – no problem.

  7. eloi
    July 28th, 2013 at 07:05 | #7

    @pascal: Small correction. The correct syntax to block traffic from all IPs except the ones on the ipset is:

    iptables -A INPUT -m set ! –set !geoblock_eu_us src -j DROP

    or in newer iptables versions:

    iptables -A INPUT -m set ! –match-set geoblock_eu_us src -j DROP

    BTW, blocking all traffic is a bit radical and could backfire at you very easily, so if you decide to implement this, consider adding a –dport directive to block only specific services.

  8. Visitor
    September 4th, 2013 at 09:34 | #8

    Hello,
    Trying to get this to work on a server using APF firewall.

    I have created a bash script and included the above along with what countries we wanted to block.

    When run we get

    Bad argument `.set’
    Try `iptables -h’ or ‘iptables –help’ for more information.

    Any ideas? This is on a CentOS 6.3 box with ipset installed via yum.

    Thank you

  9. February 27th, 2014 at 04:37 | #9

    Hello, I know this is an old post but I need your help.
    I want to use iptables+ipset to block diferent countries, but I want a step by step tutorial. If someone would like to help, please write here or send me an email.

    Thank you.

  10. Stuckadmin
    January 14th, 2015 at 13:26 | #10

    @Visitor
    I have the same problem

  11. Stuckadmin
    January 14th, 2015 at 13:29 | #11

    iptables -A INPUT -m set –set geoblock src -j DROP

    that works @visitor.

  12. April 16th, 2016 at 23:12 | #12

    The http://www.ipdeny.com/ipblocks/data/countries/{cn,kr,pk,tw,sg,hk,pe}.zone link doesn’t work anymore?