Skip to content

Instantly share code, notes, and snippets.

Last active February 4, 2024 15:00
Show Gist options
  • Star 51 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save jasonruyle/8870296 to your computer and use it in GitHub Desktop.
Save jasonruyle/8870296 to your computer and use it in GitHub Desktop.
UFW to block countries

#Country ban with UFW#

Grab your different country ip addresses and save as Linux IPTables

##Add country## Run the following command

while read line; do sudo ufw deny from $line; done < all.txt

Where the filename is the country.

##Remove country## To remove or revert these rules, keep that list of IPs! Then run a command like so to remove the rules:

while read line; do sudo ufw delete deny from $line; done < all.txt

##Suggestion## What I did was exported each individual country as their own country.txt file. But then realized that I wanted to run this thing one time, so I ran the following command:

cat *.txt >> all.txt

Then you can run your rule against all of the files.

Copy link

Yes, that looks sensible. The main point is to use ipset(s) to hold the big list of IPs and do the testing in the firewall rules.

One point, however: you are using an ipset of type "hash:ip". I don't know what you are using for the list of addresses. Most come as a list of IP ranges, so I would guess that "hash:net" would be more appropriate. You also might want to set the size of the table when you create it, but that will only speed up the inital load (I would guess; not an expert on it).

Copy link

poddmo commented Jan 17, 2024

I have a repo with a ufw blocklist solution: (
There is also a solution there for multiple blocklists (eg per country, bogans, etc) that tests well for me and I just need to document its use.
In particular, check out the method I use to load list into the ipset. It spawns a subshell into the background so as not to hang the system while the list is loaded.

Copy link

timlab55 commented Jan 26, 2024

@poddmo - Is there anyway of compiling the entire "?.txt" into 1 master.txt file? My target clients that I'm trying to get lives within 25 miles from me in a circle. I'm almost certain they are on "NO" blacklist. But with what I"m doing on a website I would like to know that my database and stuff is protected. I"m running this on Debian 12 on a Raspberry Pi verison 4. I don't know if I will be notify if you respond, but my email address is

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment