

Block a country using iptables - ChankeyPathak
http://www.linuxstall.com/block-country-iptables/

======
andrewcooke
I live in a country that probably doesn't bring you much profit. Please don't
block me just because of where I live.

~~~
pors
The OP says: "traffic coming from some countries which give no profit"

But he means something else: "### Block all traffic from AFGHANISTAN (af) and
CHINA (CN). Use ISO code ###"

------
cturner
In the past I've wanted to mass-block third world countries from my email
server to reduce spam. After seeing the way libertarians in the third world
cling to internet access, I'm more reluctant to create barriers.

~~~
mhurron
On my home network I block a lot of former USSR countries, China and Turkey.
It cuts down on a lot of things from spam to bots to javascript on compromised
sites. I like it as a first defense at home. I don't know that I would be so
heavy handed at a place I work, but it would probably depend on the type of
business.

Of course I use pf on OpenBSD so my rules are a lot cleaner.

------
RKearney
I recently had to block every single APNIC /8 using iptables. Ideal solution?
No, but the amount of DDoS traffic and brute force intrusion attempts went to
virtually nothing. It also upsets me that with the sheer amount of malicious
activity coming from APNIC assigned IP's, ARIN decided to give APNIC the last
two /8's

~~~
foobarbazetc
So you blocked... Australia?

Really?

------
maratd
There is a far easier and more effective solution. Iptables has the capacity
to do port specific blocking. You're only interested in safe-guarding port 22
(SSH). So restrict that port to IP addresses from which you will be connecting
to it. I have a static IP, so that's easy. But if you have a dynamic IP, you
can make that work too through DDNS or by being less restrictive and sticking
to the ip block assigned to your ISP.

If you need to handle brute force and hacking attempts over port 80, well, put
your password protected stuff in a different directory. Script kiddies always
look in the same places =)

------
ichilton
Is there any performance impact of having so many rules?

------
cleverjake
I have a script that blocks all APNIC traffic in iptables on my personal
computers. I have seen a 99.98% reduction in hacking attempts after
implementing it.

~~~
cturner
Those crazy Australians.

------
imoo
you can't relay on ipdeny.com in production. Quick check shows that i.e.
Israel's netblocks 128.139.0.0 and 192.117.80.0 aren't listed there.

~~~
pagekalisedown
Alternate sources:

<http://blacklist.linuxadmin.org/> <http://www.okean.com/thegoods.html>

