GeoIP Blocking/Large IP Blocklist

This is basically the easiest way to do it; I’ve implemented this exactly as [ciprian.craciun] has described.

Say you wanted to geoblock, using the lists at IPDeny.com:

#!/bin/bash
#Purpose: Block all traffic from countries (ipdeny + iso country name)
#/sbin/iptables -A INPUT -m set --match-set geoblock src -j DROP

ISO="af al ao az ba bh bd by bj bo bg bf bi bw bn kh cm cv cf td cn cg ci dj dz 
eg gq er et ga gm gh gn gw hr ht in jo kz ke kw la lb ls lr ly mg mw ml mr mu mn
ma mm na ne ng om qa ro rs ru rw sa sc sd sl so za lk sz sy tj tz tg tn tr tm ug ua ae uz vn ye zm zw" 
# use /tmp

# update the  zone files
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz -O /tmp/all-zones.tgz

# make the zonefile directory
mkdir /tmp/zones

# extract the all-zones file into the zones directory

tar xzCf /tmp/zones /tmp/all-zones.tgz

# flush the geoblock ipset
/sbin/ipset flush geoblock

# run the loop over the ISO codes, adding the entries to the geoblock list

for i in $ISO
    do
        for j in `cat /tmp/zones/$i.zone`
   do
            /sbin/ipset add geoblock $j
    done
done


# remove the zonefile directory and source tarfile

rm -rf /tmp/zones /tmp/all-zones.tgz

Now, this script can be run adhoc, because it always flushes the ipset before attempting to load the new one. So, you could set up a cron job to run once daily, or however often you wanted to update. I have a couple of network groups, one for each that I want to block (Emerging Threats, VoIP, Geo, etc). Now, if I could only easily get it to run at boot, after vyos has configured itself…

1 Like