I while ago, I wrote this post about how to block all network traffic from-and-to certain countries using UFW firewall based on recent Geo data. The statistics of this website show that this post is still one of the most popular posts here. Many people found their way here through Google searches like: UFW, Geo and Block. If you happen to be one of these people, welcome! You came to the right place! Please ignore my earlier post, it is outdated. Continue reading this post, because I will show you a simpler way to block specific countries, This method is super easy, and everybody can do it. So, let's do this!!
The first step is to browse to this page here: https://www.ip2location.com/free/visitor-blocker, and scroll down until you see a pull-down menu where you can search for countries. From this list you will select the countries you want to block, and then change the output format to CIDR (see image below) and download the archive file.
Unzip the .gz file you downloaded. You will then see a text file for each country you've chosen. We are going to use a simple command to add the contents of the text files to our firewall rule list.
Open a terminal window and login as a user with sudo rights. Cd to the folder where the unzipped text files are stored, and use the command show below. In this example I imported the block file for China, (sorry China!), so obviously you will need to change this to whatever countries you've picked.
while read line; do sudo ufw deny from $line; done < china-firewall.txt
You will first see a couple of errors scroll by, just ignore them. Keep in mind that running the command may take some time to complete. It may even appear as if the terminal is crashing or has hanged. Just leave it alone, and let it do its thing for a few moments. Once it is done importing, you are also done! How easy was that? Don't delete the downloaded files, because you may need them again in case you ever decide you want to remove the rules from your firewall rules. Use this command to remove all the rules from your firewall:
while read line; do sudo ufw delete deny from $line; done < china-firewall.txt
Giving credit where credit is due, many thanks to Jason, and for sharing it on his github.
Was this post useful for you? Do you have any thoughts, remarks, or critique? Do you want to thank me before you leave? Want to tell me what I did wrong? Feeling angry? Want to call me bad names for whatever reason? Want to let me know how handsome you find me. Or that you are secretly in love with me, but too to say anything? It doesn't matter what reason you have, please feel free to leave a comment.
EDIT 11-10-2023: The first comment to this post is one you should read. Poddmo has created scripts that he published to Github that make it easier to add IP block lists to UFW using IP sets. Check it out here: https://github.com/poddmo/ufw-blocklist. Many thanks to Poddmo!
Thank you for your post. I was looking for a geobased subnet list and your page pointed me there.
You might be interested in the IP blocklist scripts I've published to github for adding IP blocklists to UFW using ipsets: https://github.com/poddmo/ufw-blocklist
Great stuff Poddmo. I edited the post and included the url to your github. Thanks for contributing.
I found this list at https://github.com/stamparm/ipsum. However, it doesn't have the "/##" at the end of the ip address. How can I use this file with your method?
https://uploads.disquscdn.com/images/cca7e192c4f426eb3c5c9b2dd5df4b4bedecd05c70d7c802ed6d68ea714562d7.jpg What method of mine are you referring to? To be honest it's been a really long time since I wrote the posts on geo blocking.Where did you notice these /##
The ipsum method is also used in the github repository I sent you earlier. This one: https://github.com/poddmo/ufw-blocklist
I thank you, however, once it downloads where is the file? I have looked high and low for it and can't find it.
I have no idea.
Yes, no, I can't find the curl -sS -f --compressed -o ipsum.4.txt link.
For a very strage reason I keep getting two sites and answering/asking quesitons. I look at his site and can't find the download an initial ip blocklist from IPsum.
can you send me a link to the image you have in this email please.
Are you talking about the image I sent earlier?
https://i.imgur.com/LbwabL4.jpg
I get an 404 error on it.
I also experienced that just now. So seems to be a general issue on the other end.
Why can't I get into your site? Did I get blocked? If I offended you, I'm sorry, but I'm new to this stuff and I'm trying to learn from the best. Please let me back in and I will not ask you anymore questions and things. Thank you.
I'm really sorry about that. It has nothing to do with you. I've been doing some fiddling around with SSL config on the server, and it that resulted that all the websites went down. When this happened, I had to go to a meeting, and wasn't able to fix it until I got home. So the site was offline for almost a day.
Yes please as I can't find it.
I found a mistake in your code using your new method above. Let me explain. I downloaded the USA file from https://www.ip2location.com/free/visitor-blocker. I started to run the script you have posted. Just for haha's, I asked the computer to sudo ufw status. It show me the ip address being added. But strange, as I looked at the addresses, some have the subnet /XX and a few don't have it.
Ok, thanks for letting me know. I'll try if I can reproduce that error and change the blog post if I run in to the same issue.
I think a few days ago you and I had so many replies going back and fourth that we got caught up in the wording. For that I'm sorry. The bottom line is I'm happy to hear that your not pissed off at me for anything. I will try and keep my questions down to two a day if I have one, but at the same time I would like to keep you abreast of my process/progress. So I did alot of searching for a few days and will itstead of blocking the world, why not just allow those from the states in. Gosh I think the USA Firewall is just as big as China. I"m looking for a site that has all the ip's address around me, know of one? Have a good one.
I was able to find the United States in the list of countries here: https://www.ip2location.com/free/visitor-blocker
Is that what you are looking for?
Yes, as I found it as well. This is the list I used using your 2nd method of writing to the iptables and if you stop the writing about 30 mins into it with sudo ufw status you'll see that some ip address has (I guess you would call the subnet "/##") and some don't. Then maybe about Friday night, I should have everything done (I hope). If you don't mind (and I do have copies made so don't worry about it), I would like for you and your hacker friends with my permission to try and get inside my website. The only thing I"m asking for in return is to help me block it on Monday.
Hahaha, me and my hacker friends?? Who said I even have any friends? Haha I don't know any real hackers, so I'm afraid I won't be able to help you out with that. You can do some testing yourself. Connect to a VPN server somewhere outside the US, and attack yourself from that connection. That's all I can come up with right now.
LOL figure I would give you something to do, got to find a vpn first, live in Germany (actually here in the states), and attack myself. Wouldn't know the first thing about it. You sound like me at age 68 figure I would have ton of friends, got married and now no friends to really speak of. Let me know what you found out about what I mention first to ya well you?
Get some sleep now, good nite (LOL)
Dan