Ubuntu ipSet - Best Way to block countries from accessing your server

Blocking whole country/countries from accessing your ubuntu server.

Update system

sudo apt-get update

Installing IPset

Most linux distributions like Ubuntu, Debian come with ipset preinstalled these days.

apt-get install ipset

Creating IP sets

Now, as we have ipset installed in our machine, we'll now move ahead for creating the IP sets. Here we'll need to create an ipset which contains the network subnets we're willing to block or restrict. So, first we'll need to get the list of the network subnets we're willing to add into the ip sets.
PLEASE use zone lists from this site:

Here, we've selected few network subnets of China for testing purpose.

Here's a sample of network subnets that we'll be blocking in this article but in real world, we'll have a huge numbers of subnets. So, we'll use any scripting/programming language and generate the list of command as follows.
we give here the new list the following name: countryblock

ipset create countryblock nethash
ipset add countryblock
ipset add countryblock
ipset add countryblock
ipset add countryblock
ipset add countryblock

you can also use another name than "countryblock" for your list name,

IMPORTANT: Shell Script to add ip lists

Here the countries ad,ae and af as an example

ipset create geo nethash
sudo wget -O /tmp/geoiptest.txt http://www.ipverse.net/ipblocks/data/countries/{ad,ae,af}.zone
while read ip; do
    sudo ipset add geo $ip
done < /tmp/geoiptest.txt

GOOD SCRIPT TO USE - Blocks countries which are mostly the origin of many ddos, port scanning and other abuse or hacking attemps (add countries as country code e.g. cn in the brackets):

ipset create basiccountries nethash
sudo wget -O /tmp/geoiptest.txt http://www.ipverse.net/ipblocks/data/countries/{af,bz,eg,ng,ru,cn,gh,id,ir,lb,ly,kp,sy,so,ua}.zone
while read ip; do
    sudo ipset add basiccountries $ip
done < /tmp/geoiptest.txt

NOW: Add geo to your iptables Explained in the next chapter (countryblock is used instead of geo as an example).

Applying the IP set

Now, as our ip sets are ready, we'll now apply those ip sets to get blocked using ipset module with iptables.

iptables -I INPUT -m set --match-set countryblock src -j DROP

Info: Use iptables -A INPUT if you have important whitelist iptables before e.g.
The above command blocks the traffics originating from ip ranges defined by the subnets in the above generated set called countryblock. So, all the IPs listed there will be blocked.

Applying the rules permanently

If we are ready testing our configurations and rules, we may wanna make the changes persistent so that the rules gets applied in every reboot. In order to do so, we'll need to run the following commands respective to our firewall controller.

On Debian based system

ipset save > /etc/ipset.up.rules
iptables-save > /etc/iptables/rules.v4

Once we run the above comand to save the rules, we'll now make the rules loaded in each reboot by adding the following lines in /etc/rc.local .

ipset restore < /etc/ipset.up.rules
iptables-restore < /etc/iptables/rules.v4

On RHEL based system

ipset save > /etc/ipset.up.rules
iptables-save > /etc/sysconfig/iptables

Once we save the rules of both ipset and iptables, we'll now add the restore commands similarly as we did for Debian. We'll just add the following commands inside /etc/rc.local file.

ipset restore < /etc/ipset.up.rules
iptables-restore < /etc/sysconfig/iptables

In this way, we can block certain blocks of ips using ipset module with iptables. We can create ip sets of different countries so that we can apply them according to the need.