I was looking for an easy way to geo block IP addresses with iptables or some other mechanism on Linux machines. I got lucky and found a post online of someone looking for the same thing. Like the majority of my posts it’s either something someone hasn’t figured out or something that isn’t quite right (not that I’m perfect). I like using /var/ftp as a “working directory” so here are the steps
Step 1: mkdir /var/ftp/zoneblock
Step 2: cd /var/ftp/zoneblock
Step 3: wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
Step 4: gunzip all-zones.tar.gz
Step 5: tar -xvf all-zones.tar.gz
* Also look at the “rm -” commands in the file, you’ll want to run those FIRST before running the ipset.sh script
Step 6: touch ipset.sh
Step 7: Copy the below code into ipset.sh: nano ipset.sh
# Update, all new and more automated!
# Remove the US zone, copyright and
# the tar file
# rm -f us.zone
# rm -f Copyrights.txt
# rm -f all-zones.tar.gz
# rm -f MD5SUM
# For each country in our zone directory
# add it to the country block list of
# ipset’s nethash
# for country in $(ls zone/ | grep zone)
for country in $(ls | grep zone)
# while read $country
do ipset -N $country nethash
# for IP in $(cat zone/$country)
for IP in $(cat $country)
do ipset add $country $IP
done
done
# Countries I used, block all but US
#ad,ae,af,ag,ai,al,am,an,ao,ap,ar,as,at,au,aw,ax,az,ba,bb,bd,be,bf,bg,bh,bi,bj,bm,bn,bo,bq,br,bs,bt,bw,by,bz,ca,cd,cf,cg,ch,ci,ck,cl,cm,cn,co,cr,cs,cu,cv,cw,cy,cz,de,dj,dk,dm,do,dz,ec,ee,eg,er,es,et,eu,fi,fj,fm,fo,fr,ga,gb,gd,ge,gf,gg,gh,gi,gl,gm,gn,gp,gq,gr,gt,gu,gw,gy,hk,hn,hr,ht,hu,id,ie,il,im,in,io,iq,ir,is,it,je,jm,jo,jp,ke,kg,kh,ki,km,kn,kp,kr,kw,ky,kz,la,lb,lc,li,lk,lr,ls,lt,lu,lv,ly,ma,mc,md,me,mf,mg,mh,mk,ml,mm,mn,mo,mp,mq,mr,ms,mt,mu,mv,mw,mx,my,mz,na,nc,ne,nf,ng,ni,nl,no,np,nr,nu,nz,om,pa,pe,pf,pg,ph,pk,pl,pm,pr,ps,pt,pw,py,qa,re,ro,rs,ru,rw,sa,sb,sc,sd,se,sg,si,sk,sl,sm,sn,so,sr,ss,st,sv,sx,sy,sz,tc,td,tg,th,tj,tk,tl,tm,tn,to,tr,tt,tv,tw,tz,ua,ug,uk,um
# If you want to list your rules run this command:
# ipset list geoblock
# * Warning, this WILL be a long list :-)
# You might be better off doing: ipset list geoblock > geoblock_list.txt
# which will export your list into a text file for further review
# If you want to delete your list entirely runt his command:
# ipset destroy geoblock
Step 8: If “screen” isn’t installed I recommend installing it, for ubuntu: apt-get install screen, Cent or RedHat: yum install screen
Step 9: screen sh ipset.sh
Step 10: Look at the above notes in the commented sections, notes start with a #, also note that if you COPY the syntax make sure it’s clean and nothing has skipped lines or gotten weird with the syntax on a line loop or line wrap. Sometimes posting code on a blog doesn’t translate well because of the line wrapping.
You can confirm each country is indeed in the ipset rule respectively by this: ipset list me.zone or you could do any *.zone, au.zone, etc, etc. You should see IP output! If so they’re added to your ipset blocks!
If you have questions let me know – I worked on this for a solid hour I think…maybe more trying to get the syntax to work!






















































