This used to be a Gist but was moved here instead

• Also works with ipverse.com and other providers
• Supports RH, Debian with iptables and/or firewalld
• Both ipv4 and ipv6 are supported

• setup firewall if you have not done so yet, at least INPUT chain
• run this script from cron, e.g. /etc/cron.daily
• to run on boot you can also add it to e.g. /etc/rc.local or systemd
• use argument "force" to load unchanged zonefiles instead of skipping

NOTE: this script will insert an iptables REJECT rule for ipset

If needed change OS using DISTRO setting. Default is "auto" which should be OK.

Options are:

• "auto", "debian" or "redhat"
• "manual"
  • confdir="/etc/iptables" (example)
  • rulesfile="${confdir}/myrules" (example)

Specify countries to block as "ISOCODE,Name" (same as ipdeny.com), multiple entries should be seperated by semicolon ;

Example:

COUNTRY="CN,China; US,United States; RU,Russia"

Set this option to "1" to enable firewalld: FIREWALLD=0

Set URLs for ipv4 and/or ipv6 block files, you probably do not have to change these.

To use ipverse.net instead of ipdeny.com and for more details see script

• IPBLOCK_URL_V4="http://www.ipdeny.com/ipblocks/data/aggregated"
• IPBLOCK_URL_V6="http://www.ipdeny.com/ipv6/ipaddresses/blocks"

In case you want to change log file location set:

LOG="/var/log/ipset-country.log"

Other options are explained in script

Useful ipset commands:

• ipset list
• ipset test setname <ip>
• ipset flush
• ipset destroy

• [20191116] added ipverse support, md5check option
• [20190905] tested on debian 10 and centos 7
• [20190905] blocking multiple countries should work
• [20190905] it will check if INPUT chain exists in iptables
• [20190905] cleaned it up a bit
• [20190905] using firewalld is also supported now

Also available: github.com/tokiclover/dotfiles/blob/master/bin/ips.bash