Can I use an IP-list include file for iptable blacklisting?

Question

I would like to block all countries except mine in iptables, that is a list with about 100.000 Entries.

How can I define this blacklist file in a script, so iptables blocks all those IP ranges?

Maybe I can use: http://www.ipdeny.com/ipblocks/data/countries/ that provides lists in the form

117.55.192.0/20
117.104.224.0/21
119.59.80.0/21
121.100.48.0/21
...

I want to be able to change the blacklistfile easily without having to change the iptables-script.

This is usually a bad idea. What are you _really_ wanting to do? — Michael Hampton, Sep 13 '12 at 14:33
It would take ages to load, a better approach would be to DENY by default and ACCEPT for the of your country. Just remember that the ips change continuously, so an ip that is from Deutschland today, might be Greek tomorrow, also new ips are assigned every day. — aseques, Sep 13 '12 at 14:37
i think this script is quite useful: http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ — rubo77, Sep 14 '12 at 00:19
Wouldn't it be already really effective, if I block the biggest networks with /8 at the mask? Then I would have only 100 rules and would block 1.6 Billion IPs already ;) — rubo77, Sep 14 '12 at 00:21

score 2 · Answer 1 · answered Sep 13 '12 at 14:41

2

Take a look at ipset I think this is exactly what you are looking for. ipset extension

answered Sep 13 '12 at 14:41

hostmaster

sounds good, but how do i set this up on ubuntu 12.04.1? this seems, like what i need, but i get errors installing it without the (in 12.04 removed) package ipset-source: http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/ – rubo77 Sep 14 '12 at 00:43
I asked another question for that: http://serverfault.com/questions/427308/howto-install-ipset-on-ubuntu-12-04 – rubo77 Sep 14 '12 at 00:52
Are you sure ? I installed ipset on my 12.04 without any problem. https://gist.github.com/3720382 – hostmaster Sep 14 '12 at 07:05

score 1 · Answer 2 · answered Oct 07 '12 at 20:17

1

Blocking by country is certainly a very bad idea but there is a geoip module for Netfilter which is probably the simplest solution.

answered Oct 07 '12 at 20:17

bortzmeyer

Has anyone tried this lately and any experiences with it? – rubo77 Jun 26 '13 at 05:56

2 Answers2