Caution

Use at your own risk, make sure you have alternative ways to access your server before making changes to firewall (like KVM etc.).

It is basically a convenient way to block countries by IP with iptables. Step-by-step instructions are combined into one Makefile to compile and optimize multiple ip blocks. Only three iptables rule added as a result, which is easily revertable. Two systemd services run at system startup and load ip lists to keep geoblock persistent.

Prerequisites

Load countries IP ranges in CIDR format to the lists/ folder (see make load <country code> instructions). Multiple lists will be automatically combined and optimized. Remember to update lists from time to time.

Install iprange and ipset with:

sudo apt install -y iprange ipset

Installation

make load <country code> [<country code> <country code> ...] will load lists of IP ranges for specific countries from ipdeny.com and save into lists directory. For example, to load usual suspects:

make load ru cn by

make add will copy everything where it supposed to be and start services:

sudo make add 

To check services status:

sudo make status

Only one iptables rule is added as a result. To delete geoblock rule from iptables:

sudo make cleanup

To update lists:

make load <country code> [<country code> <country code> ...]
sudo make update

Whitelist

To exclude specific IPs or subnets from being blocked, add them to lists/whitelist.txt in CIDR format, one per line:

echo "1.2.3.0/24" >> lists/whitelist.txt

Run sudo make update to apply.

To uninstall - stop and remove services, iptables rule and ipset list:

sudo make uninstall

How it works

After combining and optimizing every list from lists folder into one geoblock.txt file, new geoblock list is created with ipset, then every line from geoblock.txt is put into that list, finally the list is saved to /etc/ipset.conf file.

Then there are two systemd services:

• ipset-persistent.service is configured so it starts at the right time in server startup sequence and loads /etc/ipset.conf, so geoblock set is loaded and ready to be used by iptables.
• geoblock-persistent.service starts next and runs a script that sets up a firewall rule to block incoming traffic from IP addresses listed in the geoblock set, log the blocked attempts up to a limit, and then drop the packets.

Logging blocked packets

Blocked packets are logged to the kernel log and captured automatically by systemd-journald — no extra configuration needed.

To read the logs:

journalctl -k --grep="geoblock"

To follow live:

journalctl -kf --grep="geoblock"

Some sources that were used to make this

Country IP blocks:

https://www.ipdeny.com

Note

since country-ip-blocks project is not maintained anymore (maintainer took a red pill and left the Matrix, archived his repos), ipdeny.com is the best alternative to get up-to-date lists of IP ranges for specific countries.

iptables man:

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

country ban gist:

https://gist.github.com/jasonruyle/8870296

persistent ipset manual

https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html

Contributors

• nisenbeck - added rate limited logging of blocked packets, whitelist feature