How to use “ipset” to block IP addresses from one country

We have previously learned how we can restrict or allow a specific country using GeoIP, but in this article we will look at how we can block large IP ranges using the ipset module with IPTables. IPset is a command line based utility that is used to administer a base called IP and reside inside the Linux kernel. IP Set can store IP address, network port numbers (TCP / UDP), MAC address, interface names, or combinations thereof in the path, which provides lightning speed when combining write versus dialing. It is an associative Iptables firewall application in Linux that allows us with setting rules to quickly and easily block a set of IP addresses. Here we will see how we can use the ipset module with IPTables and how to block large ranges of IP addresses on our Linux machine.

Updating our system

First of all, we need to upgrade the packages on our Linux machine so that we have the software packages up to date. In order to update our system, we need to make sure that we are logged in as sudo or as superuser. In order to log into sudo, we will run the following command:

$ sudo -s

Once we’re in, let’s move on to updating and upgrading our system.

Debian based system

# apt update && apt upgrade

Redhat based system

# yum update

Installing IPset

Most Linux distributions like Ubuntu, Debian come with ipset preinstalled. But some distributions like Centos are not preinstalled and we have to install on them. We can install ipset by running the following command depending on the distribution you are using.

Debian based system

# apt install ipset

Redhat based system

# yum install ipset

Creating IP Sets

Now that we have installed ipset on our machine, we will move forward to create IP sets. Here we have to create an ipset that contains the network subnets that we are ready to block or restrict. So first we need to get a list of subnets that we are ready to add to the IP sets. In order to get the latest subnets, we will use one of the most popular sites https://www.countryipblocks.net. where we can get the subnet lists at https://www.countryipblocks.net/country_selection.php. Here we have selected several network subnets of China for testing purposes.

1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
1.0.32.0/19
1.1.0.0/24
1.1.2.0/23
1.10.8.0/23
1.202.0.0/15
5.10.68.240/29
5.10.70.40/30
5.10.72.16/29

Here is an example of the subnets that we will be blocking in this article, but in the real world, we will have a huge number of subnets. Thus, we will use any script / programming language and create a command list as follows.

# ipset create countryblock nethash
# ipset add countryblock 1.0.1.0/24
# ipset add countryblock 1.0.2.0/23
# ipset add countryblock 1.0.8.0/21
# ipset add countryblock 1.1.0.0/24
# ipset add countryblock 1.1.2.0/23
# ipset add countryblock 1.10.8.0/23
# ipset add countryblock 1.202.0.0/15
# ipset add countryblock 5.10.68.240/29
# ipset add countryblock 5.10.70.40/30
# ipset add countryblock 5.10.72.16/29

IP dialing application

Now that our IP sets are ready, we will apply these IP sets to be blocked using the ipset module in IPTables.

# iptables -A INPUT -m set --match-set countryblock src -j DROP

The above command blocks traffic originating from ranges defined by IP subnets in the above generated set called countryblock. Thus, all IP addresses listed in it will be blocked.

This way we can block certain blocks using the ipset module in IPTables. We can create IP sets of different countries so that we can apply them as needed. This kind of method is very effective when we need to block certain traffic from a specific country or region, but also allows IP ranges as we need. There are tons of firewall modules and iptables for them, but this one is pretty simple, fast and easy to use. And so, if you have any questions, suggestions, feedback, please write them in the comments box below.

Sidebar