http://www.control-alt-del.org/blog/2015/02/13/geo-blocking-with-iptables-slash-ipset/
[geo-blocking]# cat refresh-geoblock.sh
#!/bin/bash
COUNTRYLIST="bh br cn in it kh kr pe pk ru sg tw"
GEOBLOCKBASEDIR="/etc/geo-blocking"
if [ ! -d $GEOBLOCKBASEDIR ]; then
mkdir $GEOBLOCKBASEDIR
fi
cd $GEOBLOCKBASEDIR
for i in $COUNTRYLIST; do
echo ----- creating ipset for country_$i
# ipset destroy country_$i # it can not do this while iptables is running.
ipset flush country_$i # flush it instead
ipset -N country_$i hash:net
wget -q -N http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A country_$i $k
done
# if you want to save it
# rm -f /etc/sysconfig/ipset-geoblock_$i
# ipset save country_$i >/etc/sysconfig/ipset-geoblock_$i
done
# Reload iptables
if [ -e /etc/sysconfig/iptables ]; then
iptables-restore < /etc/sysconfig/iptables
fi
And then the matching rules in iptables:
[geo-blocking]# cat setup-iptables.sh
#!/bin/bash
COUNTRYLIST="bh br cn in it kh kr pe pk ru sg tw"
# Save the current iptables just in case
iptables-save > /etc/sysconfig/iptables.bk.`date +%s%3N`
# Flush any current rules in memory
echo Flushing current iptables rules
iptables -F
# Loop through the countries
for i in $COUNTRYLIST; do
echo ----- creating iptables rules for country_$i
iptables -A INPUT -m set --match-set country_$i src -j LOG --log-prefix "iptables: DROP domain=$i: " --log-level 6
iptables -A INPUT -m set --match-set country_$i src -j DROP
done
# Save iptables
iptables-save > /etc/sysconfig/iptables
For the rest of the setup see this blog entry:
http://jackal.livejournal.com/2195719.html
