UFW to block countries

UFW_ban_country.md

#Country ban with UFW#

Grab your different country ip addresses and save as Linux IPTables

http://www.ip2location.com/free/visitor-blocker

##Add country## Run the following command

while read line; do sudo ufw deny from $line; done < all.txt

Where the filename is the country.

##Remove country## To remove or revert these rules, keep that list of IPs! Then run a command like so to remove the rules:

while read line; do sudo ufw delete deny from $line; done < all.txt

##Suggestion## What I did was exported each individual country as their own country.txt file. But then realized that I wanted to run this thing one time, so I ran the following command:

cat *.txt >> all.txt

Then you can run your rule against all of the files.

Grab your different country ip addresses and save as Linux IPTables

Or save as CIDR?

Definitely get the CIDR format—and not the Linux IPTables one—if you are going to use those commands, otherwise you'll only receive syntax errors.

Thank you both, by the way!

Note that you can only look up one country at a time with IP2Location unless you sign up for a "free" account, but if you read the license terms that you must agree to, this practice is banned. They do have a lite version available of the database for download (licensed CC BY-SA 4.0), which they claim is >98.0% accurate, versus the >99.5% that they claim for their commercial product with Draconian terms and hidden fees.

You can also install CSR, which uses MaxMind's secretive GeoLite database (also licensed CC BY-SA 4.0).

With GDPR on the horizon, we need a new option that doesn't break the bank. Quickly.

On the other side, I can do whitelisting with this if I have a service just for one country. I guess I could do this (let's say service is web):

while read line; do ufw allow from $line to any port 80 proto tcp; done < country.txt

or if You have an app for that

while read line; do ufw allow from $line to any app 'Apache Full'; done < country.txt

Not this is not going to scale well, with 10,000s of lines in the block list. A better solution would involve using ipset, which supports large dictionaries of IP ranges.

Just added the CIDR files for the countries I wanted to block: China, Great Britain, and Sweden. Took 20 minutes or so. The size of the files seems unworkable. Didn't see an immediate performance degradation, but it's tens of thousands of lines. Can be the best approach. Maybe Cloudflare free account? Assuming there is such and it will work? Think I read it would, just wanted an on-the-server approach.

You can use this site and select multiple countries: https://www.countryipblocks.net/acl.php

Hi All,

Im try to block some countries because lot requests to login to my mail server and Wordpress sites.
I have 3 countries and created a ACL list. Changed format so I can block them with UFW.

The lines in total are 15.000. How big is the impact when I add them all to my (personal use VPS) with 1CPU, 2GB machine?

I'm running the whiel loop right now.
It is very slow, parsing one line pe second.
Given the size of the file, calculation results in 47 hours.
Can I speed this up?

As I posted earlier, this is not a good solution. Adding 10s of thousands of rules, 1 per IP block, is not scalable. Use ipset (https://ipset.netfilter.org/). You can put all the ranges into a set and then add a single rule into iptables.

The solution I was looking for, is here:
https://serverfault.com/questions/907607/slow-rules-inserting-in-ufw

I have created an IP blocklist solution for UFW: https://github.com/poddmo/ufw-blocklist
It is designed to be very lightweight (runs on a single board computer home internet gateway) and very fast (using ipsets)