How do I block IP traffics using iptables?

[ktopa1980]

I need to block IP traffics from a certain country. I know I can export a free IP address list from IP2Location firewall generator. The sample output file for iptables format is as below.

What should I do next to block the list of IP address using iptables? I don't want to run the command line by line.

Code:

# -------------------------------------------------------
# Free IP2Location Firewall List by Country
# Source: https://www.ip2location.com/free/visitor-blocker
# Last Generated: 20 Nov 2018 05:20:36 GMT
# [Important] Please update this list every month
# -------------------------------------------------------
iptables -A INPUT -s 217.29.232.0/21 -j DROP
iptables -A INPUT -s 194.112.14.0/24 -j DROP
iptables -A INPUT -s 194.112.13.128/25 -j DROP
iptables -A INPUT -s 194.112.13.64/26 -j DROP

[wildmanne39]

Thread moved to Security for a more appropriate fit.

[HermanAB]

Code:

$ sudo  iptables -I INPUT -s 192.168.1.2 -j DROP

The -I stuffs the rule in front of the existing rules. It doesn't help adding it to the end of the list.

The -s is the source address that you want to block.

The -j drops the packet on the floor.

[ktopa1980]

Do I need to run it for all the lines? Can I make a shell script to load it using one line?

[The Cog]

You need to run each line as a separate command.
But you can put all the lines into a script and just run the script.

Or, once you are happy with the commands that you have entered, and that iptables is configured as you want, you can save that configuration. The command

Code:

sudo iptables-save

will output a full configuration to the screen for you to inspect or save to a file. You can have these rules automatically restored when you boot: https://askubuntu.com/questions/1193...f-the-iptables

[HermanAB]

Note that the "-A INPUT" will add the line at the end of the list of rules, which may not work, unless there are no rules at all to begin with.

Iptables processes rules in a 'top down' fashion, so it is best to put drop rules at the top, with "-I INPUT", so that they will execute immediately. A packet that was accepted by another rule, will not get to the end of the list.

[The Cog]

Another point:
If you have already entered iptables rules by enabling ufw then you need to decide whether to go with iptables or with ufw. Do not try to mix the automated iptables rules created by ufw (or gufw of course) with manual iptables rules. If you are using ufw then I think adding those blocking rules to the ufw rules is probably easier than converting it all to manually maintained iptables rules and stopping using ufw.

[TheFu]

Check out ipset if you need to load thousands of rules. https://www.linuxjournal.com/content...urations-ipset

But for most people using the iptables-save/-restore commands would be easier.

I'm blocking over 8500 subnets from known attackers.

+1 on not mixing firewall management tools. Use either iptables OR use ufw. Not both.

[cheese66]

I'm blocking over 8500 subnets from known attackers.

Interesting.
Any location where I would get such list?

[TheFu]

Setup a honey pot and script the list creation based on the attacking IPs logged.

Locations attacking your business are unlikely to be attacking ours and many subnets that we are willing to block due to the nature of our business, you may not be willing. For example, all of amazon EC2 is blocked.

You might find that starting with lists available from the pi-hole project is helpful. We did not because it includes the wrong sort of things.