Skip to content

Instantly share code, notes, and snippets.

@justinemter

justinemter/block-multiple-countries.sh

Last active March 10, 2021 19:59
Show Gist options
  • Save justinemter/5dcbb595b53e5671601bce9f8c096403 to your computer and use it in GitHub Desktop.
Save justinemter/5dcbb595b53e5671601bce9f8c096403 to your computer and use it in GitHub Desktop.
Download ZIP
Block multiple countries using iptables and ipset
Raw
block-multiple-countries.sh
#!/bin/bash
declare -a ISO=("af" "au" "al" "dz" "aq" "br" "ar" "cn" "lb" "my" "ly" "lr" "la" "jp" "jm" "jo" "kz" "ke" "hk" "ml" "mx" "fm" "md" "mc" "mn" "ms" "ma" "mz" "mm" "nr" "na" "np" "nl" "an" "nc" "nz" "ni" "ne" "ng" "nu" "nf" "mp" "no" "om" "pk" "pw" "pa" "pg" "py" "pe" "ph" "pn" "pl" "pt" "pr" "qa" "re" "ro" "ru" "rw" "kn" "lc" "vc" "ws" "sm" "st" "sn" "sa" "sc" "sl" "sg" "sk" "si" "sb" "so" "za" "gs" "es" "lk" "sh" "pm" "sd" "sr" "sj" "sz" "se" "ch" "sy" "tw" "tj" "tz" "th" "tg" "tk" "to" "tt" "tn" "tr" "tm" "tc" "tv" "ug" "ua" "ae" "gb" "um" "uy" "uz" "vu" "ve" "vn" "vg" "vi" "wf" "eh" "ye" "yu" "zm" "zw" "ie" "in" "il" "ir" "hn" )
declare -a zone_file_names_ext=()
# remove any old list that might exist from previous runs of this script
find /tmp -name '*.zone' -or -name '*.zone.1' | xargs rm
for i in "${ISO[@]}"
do
zone_file_names_ext+=( "$i.zone" )
ipset flush
ipset -N "$i" hash:net
# Pull the latest IP set for All Countries
wget -P . http://www.ipdeny.com/ipblocks/data/countries/"$i.zone" -P /tmp/
done
for filename in /tmp/*.zone; do
file=${filename#*"/tmp/"}
for i in $(cat "$filename" ); do ipset -A "${file%.*}" "$i"; done
done
# Restore iptables
/sbin/iptables-restore < /etc/iptables.firewall.rules
Raw
iptables.firewall.rules
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block anything from China
# These rules are pulled from ipset's china list
# The source file is at /etc/cn.zone (which in turn is generated by a shell script at /etc/block-china.sh )
# -A INPUT -p tcp -m set --match-set china src -j DROP
-A INPUT -p tcp -m set --match-set af src -j DROP
-A INPUT -p tcp -m set --match-set au src -j DROP
-A INPUT -p tcp -m set --match-set al src -j DROP
-A INPUT -p tcp -m set --match-set dz src -j DROP
-A INPUT -p tcp -m set --match-set aq src -j DROP
-A INPUT -p tcp -m set --match-set br src -j DROP
-A INPUT -p tcp -m set --match-set ar src -j DROP
-A INPUT -p tcp -m set --match-set cn src -j DROP
-A INPUT -p tcp -m set --match-set lb src -j DROP
-A INPUT -p tcp -m set --match-set my src -j DROP
-A INPUT -p tcp -m set --match-set ly src -j DROP
-A INPUT -p tcp -m set --match-set lr src -j DROP
-A INPUT -p tcp -m set --match-set la src -j DROP
-A INPUT -p tcp -m set --match-set jp src -j DROP
-A INPUT -p tcp -m set --match-set jm src -j DROP
-A INPUT -p tcp -m set --match-set jo src -j DROP
-A INPUT -p tcp -m set --match-set kz src -j DROP
-A INPUT -p tcp -m set --match-set ke src -j DROP
-A INPUT -p tcp -m set --match-set hk src -j DROP
-A INPUT -p tcp -m set --match-set ml src -j DROP
-A INPUT -p tcp -m set --match-set mx src -j DROP
-A INPUT -p tcp -m set --match-set fm src -j DROP
-A INPUT -p tcp -m set --match-set md src -j DROP
-A INPUT -p tcp -m set --match-set mc src -j DROP
-A INPUT -p tcp -m set --match-set mn src -j DROP
-A INPUT -p tcp -m set --match-set ms src -j DROP
-A INPUT -p tcp -m set --match-set ma src -j DROP
-A INPUT -p tcp -m set --match-set mz src -j DROP
-A INPUT -p tcp -m set --match-set mm src -j DROP
-A INPUT -p tcp -m set --match-set nr src -j DROP
-A INPUT -p tcp -m set --match-set na src -j DROP
-A INPUT -p tcp -m set --match-set np src -j DROP
-A INPUT -p tcp -m set --match-set nl src -j DROP
-A INPUT -p tcp -m set --match-set an src -j DROP
-A INPUT -p tcp -m set --match-set nc src -j DROP
-A INPUT -p tcp -m set --match-set nz src -j DROP
-A INPUT -p tcp -m set --match-set ni src -j DROP
-A INPUT -p tcp -m set --match-set ne src -j DROP
-A INPUT -p tcp -m set --match-set ng src -j DROP
-A INPUT -p tcp -m set --match-set nu src -j DROP
-A INPUT -p tcp -m set --match-set nf src -j DROP
-A INPUT -p tcp -m set --match-set mp src -j DROP
-A INPUT -p tcp -m set --match-set no src -j DROP
-A INPUT -p tcp -m set --match-set om src -j DROP
-A INPUT -p tcp -m set --match-set pk src -j DROP
-A INPUT -p tcp -m set --match-set pw src -j DROP
-A INPUT -p tcp -m set --match-set pa src -j DROP
-A INPUT -p tcp -m set --match-set pg src -j DROP
-A INPUT -p tcp -m set --match-set py src -j DROP
-A INPUT -p tcp -m set --match-set pe src -j DROP
-A INPUT -p tcp -m set --match-set ph src -j DROP
-A INPUT -p tcp -m set --match-set pn src -j DROP
-A INPUT -p tcp -m set --match-set pl src -j DROP
-A INPUT -p tcp -m set --match-set pt src -j DROP
-A INPUT -p tcp -m set --match-set pr src -j DROP
-A INPUT -p tcp -m set --match-set qa src -j DROP
-A INPUT -p tcp -m set --match-set re src -j DROP
-A INPUT -p tcp -m set --match-set ro src -j DROP
-A INPUT -p tcp -m set --match-set ru src -j DROP
-A INPUT -p tcp -m set --match-set rw src -j DROP
-A INPUT -p tcp -m set --match-set kn src -j DROP
-A INPUT -p tcp -m set --match-set lc src -j DROP
-A INPUT -p tcp -m set --match-set vc src -j DROP
-A INPUT -p tcp -m set --match-set ws src -j DROP
-A INPUT -p tcp -m set --match-set sm src -j DROP
-A INPUT -p tcp -m set --match-set st src -j DROP
-A INPUT -p tcp -m set --match-set sn src -j DROP
-A INPUT -p tcp -m set --match-set sa src -j DROP
-A INPUT -p tcp -m set --match-set sc src -j DROP
-A INPUT -p tcp -m set --match-set sl src -j DROP
-A INPUT -p tcp -m set --match-set sg src -j DROP
-A INPUT -p tcp -m set --match-set sk src -j DROP
-A INPUT -p tcp -m set --match-set si src -j DROP
-A INPUT -p tcp -m set --match-set sb src -j DROP
-A INPUT -p tcp -m set --match-set so src -j DROP
-A INPUT -p tcp -m set --match-set za src -j DROP
-A INPUT -p tcp -m set --match-set gs src -j DROP
-A INPUT -p tcp -m set --match-set es src -j DROP
-A INPUT -p tcp -m set --match-set lk src -j DROP
-A INPUT -p tcp -m set --match-set sh src -j DROP
-A INPUT -p tcp -m set --match-set pm src -j DROP
-A INPUT -p tcp -m set --match-set sd src -j DROP
-A INPUT -p tcp -m set --match-set sr src -j DROP
-A INPUT -p tcp -m set --match-set sj src -j DROP
-A INPUT -p tcp -m set --match-set sz src -j DROP
-A INPUT -p tcp -m set --match-set se src -j DROP
-A INPUT -p tcp -m set --match-set ch src -j DROP
-A INPUT -p tcp -m set --match-set tw src -j DROP
-A INPUT -p tcp -m set --match-set tj src -j DROP
-A INPUT -p tcp -m set --match-set tz src -j DROP
-A INPUT -p tcp -m set --match-set th src -j DROP
-A INPUT -p tcp -m set --match-set tg src -j DROP
-A INPUT -p tcp -m set --match-set tk src -j DROP
-A INPUT -p tcp -m set --match-set to src -j DROP
-A INPUT -p tcp -m set --match-set tt src -j DROP
-A INPUT -p tcp -m set --match-set tn src -j DROP
-A INPUT -p tcp -m set --match-set tr src -j DROP
-A INPUT -p tcp -m set --match-set tn src -j DROP
-A INPUT -p tcp -m set --match-set tm src -j DROP
-A INPUT -p tcp -m set --match-set tc src -j DROP
-A INPUT -p tcp -m set --match-set tv src -j DROP
-A INPUT -p tcp -m set --match-set ug src -j DROP
-A INPUT -p tcp -m set --match-set ua src -j DROP
-A INPUT -p tcp -m set --match-set ae src -j DROP
-A INPUT -p tcp -m set --match-set gb src -j DROP
-A INPUT -p tcp -m set --match-set um src -j DROP
-A INPUT -p tcp -m set --match-set uy src -j DROP
-A INPUT -p tcp -m set --match-set um src -j DROP
-A INPUT -p tcp -m set --match-set uz src -j DROP
-A INPUT -p tcp -m set --match-set vu src -j DROP
-A INPUT -p tcp -m set --match-set ve src -j DROP
-A INPUT -p tcp -m set --match-set vn src -j DROP
-A INPUT -p tcp -m set --match-set vg src -j DROP
-A INPUT -p tcp -m set --match-set vi src -j DROP
-A INPUT -p tcp -m set --match-set wf src -j DROP
-A INPUT -p tcp -m set --match-set eh src -j DROP
-A INPUT -p tcp -m set --match-set eh src -j DROP
-A INPUT -p tcp -m set --match-set ye src -j DROP
-A INPUT -p tcp -m set --match-set yu src -j DROP
-A INPUT -p tcp -m set --match-set zm src -j DROP
-A INPUT -p tcp -m set --match-set zw src -j DROP
-A INPUT -p tcp -m set --match-set ie src -j DROP
-A INPUT -p tcp -m set --match-set in src -j DROP
-A INPUT -p tcp -m set --match-set il src -j DROP
-A INPUT -p tcp -m set --match-set ir src -j DROP
-A INPUT -p tcp -m set --match-set hn src -j DROP
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment