Block Geo-Region List of IPs with ufw in Linux

By | 2013/08/30

Say for instance you wish to block IP ranges by region such as blocking China. This is easy to do with one spiffy website and ufw in Ubuntu or other Linux distros. I’ll show you how!


1. First, get a list of IP address of a region you wish to block. One website that provides this is:

http://www.ip2location.com/free/visitor-blocker

Select iptables, China (or whichever country), CIDR format, and Download.

01-block_iprange

The list will look something like the following, with ranges in CIDR format one on a line. Save as say, cdir-china.txt. I would also recommend testing this list out in a non-prod environment first! These are generally accurate lists but be very careful and use with caution.

...
223.0.0.0/12
223.20.0.0/15
223.27.184.0/22
223.64.0.0/10
223.128.0.0/15
223.144.0.0/12
223.160.0.0/14
223.166.0.0/15
223.192.0.0/15
223.198.0.0/15
223.201.0.0/15
223.203.0.0/16
223.208.0.0/13
223.220.0.0/15
223.223.176.0/19
223.240.0.0/13
223.248.0.0/14
223.254.0.0/16
223.255.0.0/17
... 

2. Next, carefully run the following command to block all ranges in that list:

$ while read line; do sudo ufw insert 1 deny from $line to any; done < cdir-china.txt

For a large list (say, the china list) it may take several minutes to run.

02-block_iprange
3. When complete, you can then run the following to verify the rules are in place:

$ sudo ufw status
03-block_iprange
To remove or revert these rules, keep that list of IPs! Then run a command like so to remove the rules:

$ while read line; do sudo ufw delete deny from $line; done < cdir-china.txt

11 thoughts on “Block Geo-Region List of IPs with ufw in Linux

  1. Normand

    Thank you, very good article. However the right command after step #2 above is:

    while read line; do sudo ufw deny from $line; done < file.txt

    (I added the word "from" after deny, else you get an "Invalid port" error message from ufw)

    Reply
  2. Ben

    Your script for number 2 does not correctly work on current UFW installs. Instead use

    while read line; do ufw deny from $line to any; done < cdir-china.txt

    To get an idea of how long it will take

    time while read line; do ufw deny from $line to any; done < cdir-china.txt

    Reply
  3. Matt

    Thanks for the short article however I have one modification to the while read. You want to insert deny rules like this at the top of the firewall config otherwise your allow rules will allow them to come through still. Below is the modification to insert the new rule in line 1 which will automatically push your other rules down a line.

    $ while read line; do sudo ufw insert 1 deny from $line to any; done < cdir-china.txt

    Reply
    1. Richard

      Wish I had seen Matt’s comment before doing this. Removal takes a lot longer to start over. Thanks Matt for the insert level, your point is spot on.

      Reply
      1. Scott Miller Post author

        Post updated. Thank you @Matt,

        Reply
      2. Matt

        Btw for quicker removal you can use vi or any other text editor. The file is saved to /lib/ufw/user.rules for ipv4 or /lib/ufw/user6.rules for ipv6. If your using vi or vim you can simply get to the begging of the rules you want to delete and then type the number of lines to be deleted followed by dd. For example to delete 500 lines it would be 500dd. When your done write the file out and then a ufw reload will apply your changes.

        Reply
  4. abashjinn

    This is just the best post I have ever seen for ufw “quick” deny rules setup. Now my desktop & server feels more safe while waiting on DD-WRT for TP-LINK to add another brick to the …firewall (yea, I know, right…) Their default firmware is just dumb in terms of adding custom rules.

    Reply
  5. Gad

    Hi,
    Excellent post, thank you.
    I do however have a question : what about performance ? I mean, the IP list for say, russia, is quite lenghty. What about the latency created by ufw to filter all IPs before allowing a packet in ? I’m running a website on an virtual machine with 2 virtual cores and I wonder if this solution is workable in that context.
    Cheers
    Gad

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.