Ubuntu ipSet - Best Way to block countries from accessing your server
Blocking whole country/countries from accessing your ubuntu server.
Update system
sudo apt-get update
Contents
Installing IPset
Most linux distributions like Ubuntu, Debian come with ipset preinstalled these days.
apt-get install ipset
Creating IP sets
PLEASE CHECK ALSO THE SCRIPT TO ADD IPs BELOW
Now, as we have ipset installed in our machine, we'll now move ahead for creating the IP sets. Here we'll need to create an ipset which contains the network subnets we're willing to block or restrict. So, first we'll need to get the list of the network subnets we're willing to add into the ip sets.
PLEASE use zone lists from this site:
http://www.ipdeny.com/ipblocks/
Here, we've selected few network subnets of China for testing purpose.
1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 1.0.32.0/19 1.1.0.0/24 5.10.72.16/29
Here's a sample of network subnets that we'll be blocking in this article but in real world, we'll have a huge numbers of subnets. So, we'll use any scripting/programming language and generate the list of command as follows.
we give here the new list the following name: countryblock
ipset create countryblock nethash ipset add countryblock 1.0.1.0/24 ipset add countryblock 1.0.2.0/23 ipset add countryblock 1.0.8.0/21 ipset add countryblock 1.1.0.0/24 ipset add countryblock 5.10.72.16/29
you can also use another name than "countryblock" for your list name,
IMPORTANT: Shell Script to add ip lists
Here the countries ad,ae and af as an example
#!/bin/bash
ipset create geo nethash
sudo wget -O /tmp/geoiptest.txt http://www.ipverse.net/ipblocks/data/countries/{ad,ae,af}.zone
while read ip; do
sudo ipset add geo $ip
done < /tmp/geoiptest.txt
GOOD SCRIPT TO USE - Blocks countries which are mostly the origin of many ddos, port scanning and other abuse or hacking attemps (add countries as country code e.g. cn in the brackets):
#!/bin/bash
ipset create basiccountries nethash
sudo wget -O /tmp/geoiptest.txt http://www.ipverse.net/ipblocks/data/countries/{af,bz,eg,ng,ru,cn,gh,id,ir,lb,ly,kp,sy,so,ua}.zone
while read ip; do
sudo ipset add basiccountries $ip
done < /tmp/geoiptest.txt
NOW: Add geo to your iptables Explained in the next chapter (countryblock is used instead of geo as an example).
Applying the IP set
Now, as our ip sets are ready, we'll now apply those ip sets to get blocked using ipset module with iptables.
iptables -I INPUT -m set --match-set countryblock src -j DROP
Info: Use iptables -A INPUT if you have important whitelist iptables before e.g.
The above command blocks the traffics originating from ip ranges defined by the subnets in the above generated set called countryblock. So, all the IPs listed there will be blocked.
Applying the rules permanently
If we are ready testing our configurations and rules, we may wanna make the changes persistent so that the rules gets applied in every reboot. In order to do so, we'll need to run the following commands respective to our firewall controller.
On Debian based system
ipset save > /etc/ipset.up.rules iptables-save > /etc/iptables/rules.v4
Once we run the above comand to save the rules, we'll now make the rules loaded in each reboot by adding the following lines in /etc/rc.local .
ipset restore < /etc/ipset.up.rules iptables-restore < /etc/iptables/rules.v4
On RHEL based system
ipset save > /etc/ipset.up.rules iptables-save > /etc/sysconfig/iptables
Once we save the rules of both ipset and iptables, we'll now add the restore commands similarly as we did for Debian. We'll just add the following commands inside /etc/rc.local file.
ipset restore < /etc/ipset.up.rules iptables-restore < /etc/sysconfig/iptables
In this way, we can block certain blocks of ips using ipset module with iptables. We can create ip sets of different countries so that we can apply them according to the need.
