Geofence with iptables: Blocking Countries at the Firewall

In some situations one may find it useful to block entire countries or restrict access to only one or a few. This is a technique known as geofencing, and if you've ever tried to watch a video only to be told that it's not available in your region you have been the victim of it. Geofencing, like geolocation, is possible because blocks of IP address space are handed out to specific countries, and additional details such as the province or city of the address holder may be obtained through reverse-whois. Data collected below the country level can be unreliable, often the location of a head office for a national ISP will appear to be the source of all if its users.

ahorli on the Clear forums just posted their geofencing solution for ClearOS at http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,10382/. It is intended to block specific countries that tend to produce a high volume of spam and automated attacks (in this case, Russia and China). I thought it would be neat to reverse the script so I could block every country except a specific one or two. Obviously this kind of tactic isn't going to stop someone who really wants into your box from outside the geofence - there's everything from proxies to VPNs to exploit. My interest here is in reducing automated attacks to those originating in the motherland, because that's the only place I expect to be connecting to our hypothetical server.

Download this script and put it somewhere appropriate, I would suggest /sbin or /usr/sbin. In order to work this requires that your default INPUT policy is DROP or REJECT. As mentioned above, geofencing is more art than science and when I ran this script my own subnet was not unblocked, I strongly recommend including your headquarters in the ALLOWSUBNET variable or you may find yourself one day without access. As you can see MAXZONEAGE is set to 6, so if we pop this in cron.weekly it should refresh its fence list every week. You should add the script to your firewall or local init scripts, on ClearOS use /etc/rc.d/rc.firewall.local.


There are no comments for this item.