
- #Using ip2location to block country how to
- #Using ip2location to block country full
- #Using ip2location to block country download
as xml file for Russia or for the Bahamas. If you are using firewalld, you can use my predefined drop zone e.g. The process is single-threaded, so also on servers with many CPU cores this is gonna takes some time.

#Using ip2location to block country full
ufw behaves much better, a reboot of the Ubuntu test system with the full IPv4 and IPv4 Russian test set performed reasonably well.įor fully automated servers that run automatic updates and reboots and can have a rather large latency after a reboot, the firewalld method should be fine though. This is the reason, why I recommend the “Just block it already” method for most servers, because it scales much better. So if the rule setup takes 20 minutes, you need to wait for firewalld to finish startup before you can even ssh into the machine. During the firewall setup, you can’t ssh into the host. WARNING: firewalld can take ages to boot with large listsĪdding large blocklists makes firewall-cmd -reload take a long time! On my test machine it took 20 minutes for the following example on each reboot. See the section “List of mirrored blocklists” below in case the above stated link is not working. Select the country you would like to block and use CIDR as Format. Obtain the current country block lists from Obtaining and activating the blocklist ( firewalld and ufw)
#Using ip2location to block country download

We will establish a blocking filter in three steps: Obtaining a block list, activating it and check the system for the active rules. Raw iptables however might be the fastest way to deploy this and given how slow firewalld and ufw are, raw iptables are my recommendation for most setups. Because those two methods scale very poorly, for firewalld the recommended way is to create and deploy a drop.xml.
#Using ip2location to block country how to
I will also show you how to setup persistent rules using firewalld or ufw. This is intended as immediate damage control but is not persistent. My best hope is that this can be used to shield some more exposed services from the poor fucking infrantry, searching for easy prey.Īt first will describe a very quick way of getting the job done via iptables (See “Just block it already”).

This is (at best) useful for only a handful of very coarse attack scenarios by groups with low resources and motivation. In this blog post I will try to summarize methods on how to block the IP space of certain countries on different classical Linux systems.Ī warning beforehand: anyone can bypass IP ranges easily. With the Ukrainian war ongoing the risk of various attacks on our domestic IT infrastructure is high.
