Skip to content

Instantly share code, notes, and snippets.

@jasonruyle
Last active November 1, 2023 12:34
  • Star 49 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
UFW to block countries

#Country ban with UFW#

Grab your different country ip addresses and save as Linux IPTables

http://www.ip2location.com/free/visitor-blocker

##Add country## Run the following command

while read line; do sudo ufw deny from $line; done < all.txt

Where the filename is the country.

##Remove country## To remove or revert these rules, keep that list of IPs! Then run a command like so to remove the rules:

while read line; do sudo ufw delete deny from $line; done < all.txt

##Suggestion## What I did was exported each individual country as their own country.txt file. But then realized that I wanted to run this thing one time, so I ran the following command:

cat *.txt >> all.txt

Then you can run your rule against all of the files.

@necessary129
Copy link

Grab your different country ip addresses and save as Linux IPTables

Or save as CIDR?

@happybydefault
Copy link

happybydefault commented May 14, 2017

Definitely get the CIDR format—and not the Linux IPTables one—if you are going to use those commands, otherwise you'll only receive syntax errors.

Thank you both, by the way!

@dmhendricks
Copy link

Note that you can only look up one country at a time with IP2Location unless you sign up for a "free" account, but if you read the license terms that you must agree to, this practice is banned. They do have a lite version available of the database for download (licensed CC BY-SA 4.0), which they claim is >98.0% accurate, versus the >99.5% that they claim for their commercial product with Draconian terms and hidden fees.

You can also install CSR, which uses MaxMind's secretive GeoLite database (also licensed CC BY-SA 4.0).

With GDPR on the horizon, we need a new option that doesn't break the bank. Quickly.

@ntnlabs
Copy link

ntnlabs commented Jan 24, 2019

On the other side, I can do whitelisting with this if I have a service just for one country. I guess I could do this (let's say service is web):

while read line; do ufw allow from $line to any port 80 proto tcp; done < country.txt

or if You have an app for that

while read line; do ufw allow from $line to any app 'Apache Full'; done < country.txt

@prensing
Copy link

Not this is not going to scale well, with 10,000s of lines in the block list. A better solution would involve using ipset, which supports large dictionaries of IP ranges.

@jmcbri
Copy link

jmcbri commented Jun 9, 2020

Just added the CIDR files for the countries I wanted to block: China, Great Britain, and Sweden. Took 20 minutes or so. The size of the files seems unworkable. Didn't see an immediate performance degradation, but it's tens of thousands of lines. Can be the best approach. Maybe Cloudflare free account? Assuming there is such and it will work? Think I read it would, just wanted an on-the-server approach.

@vitor-ao
Copy link

vitor-ao commented Feb 21, 2021

You can use this site and select multiple countries: https://www.countryipblocks.net/acl.php

@poudenes
Copy link

Hi All,

Im try to block some countries because lot requests to login to my mail server and Wordpress sites.
I have 3 countries and created a ACL list. Changed format so I can block them with UFW.

The lines in total are 15.000. How big is the impact when I add them all to my (personal use VPS) with 1CPU, 2GB machine?

@scabilos
Copy link

I'm running the whiel loop right now.
It is very slow, parsing one line pe second.
Given the size of the file, calculation results in 47 hours.
Can I speed this up?

@prensing
Copy link

As I posted earlier, this is not a good solution. Adding 10s of thousands of rules, 1 per IP block, is not scalable. Use ipset (https://ipset.netfilter.org/). You can put all the ranges into a set and then add a single rule into iptables.

@scabilos
Copy link

@poddmo
Copy link

poddmo commented Oct 10, 2023

I have created an IP blocklist solution for UFW: https://github.com/poddmo/ufw-blocklist
It is designed to be very lightweight (runs on a single board computer home internet gateway) and very fast (using ipsets)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment