Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
UFW to block countries

#Country ban with UFW#

Grab your different country ip addresses and save as Linux IPTables

##Add country## Run the following command

while read line; do sudo ufw deny from $line; done < all.txt

Where the filename is the country.

##Remove country## To remove or revert these rules, keep that list of IPs! Then run a command like so to remove the rules:

while read line; do sudo ufw delete deny from $line; done < all.txt

##Suggestion## What I did was exported each individual country as their own country.txt file. But then realized that I wanted to run this thing one time, so I ran the following command:

cat *.txt >> all.txt

Then you can run your rule against all of the files.

Copy link

necessary129 commented Nov 13, 2015

Grab your different country ip addresses and save as Linux IPTables

Or save as CIDR?

Copy link

happybydefault commented May 14, 2017

Definitely get the CIDR format—and not the Linux IPTables one—if you are going to use those commands, otherwise you'll only receive syntax errors.

Thank you both, by the way!

Copy link

dmhendricks commented Apr 8, 2018

Note that you can only look up one country at a time with IP2Location unless you sign up for a "free" account, but if you read the license terms that you must agree to, this practice is banned. They do have a lite version available of the database for download (licensed CC BY-SA 4.0), which they claim is >98.0% accurate, versus the >99.5% that they claim for their commercial product with Draconian terms and hidden fees.

You can also install CSR, which uses MaxMind's secretive GeoLite database (also licensed CC BY-SA 4.0).

With GDPR on the horizon, we need a new option that doesn't break the bank. Quickly.

Copy link

ntnlabs commented Jan 24, 2019

On the other side, I can do whitelisting with this if I have a service just for one country. I guess I could do this (let's say service is web):

while read line; do ufw allow from $line to any port 80 proto tcp; done < country.txt

or if You have an app for that

while read line; do ufw allow from $line to any app 'Apache Full'; done < country.txt

Copy link

prensing commented Feb 26, 2019

Not this is not going to scale well, with 10,000s of lines in the block list. A better solution would involve using ipset, which supports large dictionaries of IP ranges.

Copy link

jmcbri commented Jun 9, 2020

Just added the CIDR files for the countries I wanted to block: China, Great Britain, and Sweden. Took 20 minutes or so. The size of the files seems unworkable. Didn't see an immediate performance degradation, but it's tens of thousands of lines. Can be the best approach. Maybe Cloudflare free account? Assuming there is such and it will work? Think I read it would, just wanted an on-the-server approach.

Copy link

vitor-ao commented Feb 21, 2021

You can use this site and select multiple countries:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment