This used to be a Gist but was moved here instead
- Also works with ipverse.com and other providers
- Supports RH, Debian with iptables and/or firewalld
- Both ipv4 and ipv6 are supported
- setup firewall if you have not done so yet, at least INPUT chain
- run this script from cron, e.g. /etc/cron.daily
- to run on boot you can also add it to e.g. /etc/rc.local or systemd
- use argument "force" to load unchanged zonefiles instead of skipping
NOTE: this script will insert an iptables REJECT rule for ipset
If needed change OS using DISTRO
setting. Default is "auto" which should be OK.
Options are:
- "auto", "debian" or "redhat"
- "manual"
confdir="/etc/iptables"
(example)rulesfile="${confdir}/myrules"
(example)
Specify countries to block as "ISOCODE,Name" (same as ipdeny.com), multiple entries should be seperated by semicolon ;
Example:
COUNTRY="CN,China; US,United States; RU,Russia"
Set this option to "1" to enable firewalld: FIREWALLD=0
Set URLs for ipv4 and/or ipv6 block files, you probably do not have to change these.
To use ipverse.net instead of ipdeny.com and for more details see script
IPBLOCK_URL_V4="http://www.ipdeny.com/ipblocks/data/aggregated"
IPBLOCK_URL_V6="http://www.ipdeny.com/ipv6/ipaddresses/blocks"
In case you want to change log file location set:
LOG="/var/log/ipset-country.log"
Other options are explained in script
Useful ipset commands:
ipset list
ipset test setname <ip>
ipset flush
ipset destroy
- [20191116] added ipverse support, md5check option
- [20190905] tested on debian 10 and centos 7
- [20190905] blocking multiple countries should work
- [20190905] it will check if INPUT chain exists in iptables
- [20190905] cleaned it up a bit
- [20190905] using firewalld is also supported now
Also available: github.com/tokiclover/dotfiles/blob/master/bin/ips.bash