A firewall solution to totally block chosen countries from attacking and spamming your website.

Below you will find a procedure to block a country or countries from accessing your Linux server at the firewall level without any OS kernel calls or the installation of any additional applications.

Here we are going to protect our server and bandwidth from those dreaded brute force and complex attacks using a very simple and effective country blocking technique. Going by my Apache2 access log files, some days I was receiving more than 1500 attacks per twenty four hours. Now, it’s rare to receive any by just blocking two countries.

Be careful as you will be denying ALL traffic accessing your site from a blocked country.

OK, here we go:
First, we create ipset names that are recognisable for maintenance reasons. I created two ipset names for each country, one for IPv4 and the other for IPv6  IP address ranges.
The countries I will be blocking here will be China and Russia.

Create ipset names:

Syntax explanation: (See ‘firewall-cmd’ man pages for detailed explanations.)

1: –permanent = use this to make changes to the permanent configuration
2: –new-ipset = name of the new IP/net blacklist
3: –type = storage hash type, “net” is for subnets, while “ip” for individual ip addresses
4: –option=family = inet6 for IPv6 network, inet is for IPv4
5: –option=hashsize = the initial hash size of the list–option=maxelem = max number of elements.

IPv4 and then IPv6

Note: The differences in the type of ipset creation for the option=family=’inet/inet6′ below.

tones:# firewall-cmd --permanent --new-ipset=China --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=150000
success
tones:# firewall-cmd --permanent --new-ipset=Russia --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=150000
success
tones:# firewall-cmd --permanent --new-ipset=China-ipv6 --type=hash:net --option=family=inet6 --option=hashsize=4096 --option=maxelem=150000
success
tones:# firewall-cmd --permanent --new-ipset=Russia-ipv6 --type=hash:net --option=family=inet6 --option=hashsize=4096 --option=maxelem=150000
success

Download the allocated country IP address blocks:

Here we will be implementing the blocked addresses which are gratefully provided by ipdeny.com

Create a directory and sub-directory ‘name of choose’, I will be creating ‘/usr/ipdeny’ for IPv4 addresses and ‘/usr/ipdeny/ipv6’ for the IPv6 addresses.

We will download and extract the data.

mkdir /usr/ipdeny /usr/ipdeny/ipv6
cd /usr/ipdeny
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar -xvf all-zones.tar.gz

cd ipv6
wget http://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz
tar -xvf ipv6-all-zones.tar.gz

If you type ‘ls -CF’ you will see XX.zone where XX= two letter country code. Here we will be using the cn.zone (China) and ru.zone (Russia)

Now to populate the ipsets with the chosen country IP addresses:

Tones:# firewall-cmd --permanent --ipset=China --add-entries-from-file=/usr/ipdeny/cn.zone
success
tones:# firewall-cmd --permanent --ipset=Russia --add-entries-from-file=/usr/ipdeny/ru.zone
success
tones:# firewall-cmd --permanent --ipset=China-ipv6 --add-entries-from-file=/usr/ipdeny/ipv6/cn.zone
success
tones:# firewall-cmd --permanent --ipset=Russia-ipv6 --add-entries-from-file=/usr/ipdeny/ipv6/ru.zone
success

Redirect the ipsets to the firewall’s drop zone

tones:# firewall-cmd --permanent --zone=drop --add-source=ipset:China
success
tones:# firewall-cmd --permanent --zone=drop --add-source=ipset:Russia
success

and finally we reload the new firewall zones using

firewall-cmd --reload

Explanation of the above:

We created ipsets and populated them with IP addresses and net blocks but they are  not blocking anything.

To use our new ipsets, we set them as a firewall “source”, which means that anything that matches our ipsets will be redirected to a specific zone. Thus, by redirecting the ipsets to the “drop” zone, we are blocking all connections that match our ipsets.

To view that the ipsets have been created in the ‘DROP’ successfully.

tones:# firewall-cmd --list-all-zones

----- snip -----
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:China ipset:Russia ipset:China-ipv6 ipset:Russia-ipv6
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
----------------

Very simple
Very effective.

Tone.