Forums

Resolved
0 votes
Does anyone know how to block access from a country ?
Our firewall gets beat on by the

Ukraine
Russia
China
Korea

and we have no dealings with anybody from this country, Is there a way to block all IP addresses originating in China , Ukraine , Russia and Korea etc as well.


Thank You
Lalatendu
Tuesday, December 31 2019, 12:25 PM
Share this post:
Responses (10)
  • Accepted Answer

    Tuesday, December 31 2019, 08:54 PM - #Permalink
    Resolved
    0 votes
    Try this thread. I post a much simpler script later on in the thread.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 03 2020, 03:49 AM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    Just a follow-up as I (tried to) used that script in ClearOS 6, even tho I am not certain it ever worked... Thought I would add it to my ClearOS 7 boxes. Anyway, that thread is full of stuff that has lead me off the path and confused me a bit and might confuse others as well. Especially naming of the files needed.

    To summarize, we still need the three (3) scripts, each in the directory locations noted in Marcel's posts. The main script, (which you updated and made simpler), should be made executable. What should the main script be named? Will 'blockcountry.sh' be okay?

    In the scripts you block "non-RIPE countries" meaning the RIPE countries are allowed. I need some RIPE countries blocked. What change needs to be done to ensure that whatever country specified in the ISO= line are blocked? Including RIPE addresses?

    What should we name the other two (2) scripts that are needed? Do they need the .sh extension?

    I've learned a lot from that thread but I am not sure now that it ever worked for me in ClearOS 6!

    Thanks Nick!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 03 2020, 09:32 AM - #Permalink
    Resolved
    0 votes
    The main script is here. It does not reference RIPE. That was only for my own notes as I am most likely to only travel in Europe. Choose your countries as you want. All this script does is make an ipset list of country IP's. It can then be used as a block list or an allow list.

    Otherwise use the elements from Marcel's post here, but you should craft your own firewall rules. Remember to make /rc.d/rc.local executable.

    Note the scripts all check if ipset is loaded. As belt and braces I also have a file /etc/sysconfig/modules/ip_set.modules with "modprobe ip_set" in it.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 03 2020, 11:50 PM - #Permalink
    Resolved
    0 votes
    Nick,

    In trying to make things very easy for anyone, especially me, I think I have things consolidated and sorted out having reread the entire original thread a few times and adding in the new/current main script. Please let me know if this is what it should be?

    Do we need the dollar sign ($) in front of iptables. ($iptables) for ClearOS 7? I recall an issue there but might have just been in the GUI.
    --------------------------------------
    STEP A
    1). First, install ipset at the CLI by doing a: "yum install ipset --enablerepo=clearos-core".
    * (IPSET 7.1 was already installed in ClearOS 7).
    2). The following code goes into a file you create and named "country_list.sh" and it goes into "/etc/cron.monthly".
    3). Make this file executable: with chmod 755 /etc/cron.monthly/country_list.sh.
    4). Add two (2) letter country codes for countries you wish to block in ISO="codes go here"

    #!/bin/bash

    # A list of the ISO country codes can be found at http://en.wikipedia.org/wiki/ISO_3166-1
    # Countries are case insensitive for this script

    ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm mc je gg im"

    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    # Destroy country-list-temp in case it exists and is populated
    ipset destroy -q country-list-temp

    # Make sure the new lists exist
    ipset create country-list nethash maxelem 524288 -exist
    ipset create country-list-temp nethash maxelem 524288 -exist

    # Load the country list
    curl -s -d country=1 --data-urlencode "country_list=$ISO" -d format_template=prefix https://ip.ludost.net/cgi/process | grep -v ^# | while read -r line
    do
    ipset -A -exist country-list-temp $line
    done

    # Make the temp list current
    ipset swap country-list country-list-temp

    # Destroy the (now old) temp list
    ipset destroy -q country-list-temp

    # Create save list for loading on boot
    ipset save country-list > /usr/src/ipset_country-list.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save

    logger -t country-list "Updated"

    STEP B
    1). The following code is added into a file you will create and name: "/etc/clearos/firewall.d/20-ipset-blocks".
    2). In the lines that end in DROP, add the ports you wish to block, i.e.: --dports 80,25,443,587,993" and etc.
    3). If you only want to drop only TCP or UDP ports, comment out or remove the appropriate line.

    # IPv4 only for now
    #------------------

    if [ "$FW_PROTO" != "ipv4" ]; then
    return 0
    fi

    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    # Block country addresses (exempt permitted countries)
    #
    # note the > /dev/null 2>&1 is needed for some odd reason
    ipset create country-list nethash -exist > /dev/null 2>&1
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP

    STEP C
    1). The following code is added into an existing file: "/etc/rc.d/rc.local"
    # Load in all previously saved ipset sets

    if [ "`lsmod | grep ip_set`" = "" ]; then

    modprobe ip_set

    fi

    ipset restore < /usr/src/ipset_country-list.save

    STEP D
    1). To start it up for the first time, from the CLI (root prompt) type in "/etc/cron.monthly/country_list.sh"
    2). Restart the firewall by;
    ...a). at the root CLI entering: "service firewall restart" or
    ...b). reboot your Clear box.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 04 2020, 09:14 AM - #Permalink
    Resolved
    0 votes
    The firewall rules look a bit dodgy and should be updated a bit to use $IPTABLES and not iptables. Also note the extra bit at the beginning. Mine are:
    # IPv4 only for now
    #------------------

    if [ "$FW_PROTO" != "ipv4" ]; then
    return 0
    fi

    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    # Block country addresses (exempt permitted countries)
    #
    # note the > /dev/null 2>&1 is needed for some odd reason
    ipset create country-list nethash -exist > /dev/null 2>&1
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP
    I am using a different state match which may perform a little better. I also don't use the "-i" parameter as it is not needed, but it does make the rules more specific.

    Note your firewall rule is only blocking TCP ports. As a general idea if you don't have a port open there is no need to block it, but, if you wanted, you could block everything but TCP with:
    $IPTABLES -I INPUT -i eth0 -m set --match-set country-list src ! -p tcp -m state --state NEW -j COUNTRY_BLOCK


    There is a step E. Restart the firewall. You can check the block rule exists with an:
    iptables -nvL INPUT


    Ipset will already be installed if you have the Attack Detector of IDS/IPS installed and it looks like it is part of the defaule installation these days.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 04 2020, 06:20 PM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    I completely forgot about TCP and UDP and somehow imagined a complete port block without specifying either protocol never seeing tcp in the block rule! Old and still learning even after using this and commenting on it years ago! (Love this stuff... still)!

    And thanks for reminding me to restart the firewall... again forgot about that bit!

    You ARE amazing when it comes to this stuff! Thank-you!

    I will add the bits you provided to my code post to make it a fairly complete and east country block setup.

    Thanks again!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 11 2020, 11:16 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    The firewall rules look a bit dodgy and should be updated a bit to use $IPTABLES and not iptables. Also note the extra bit at the beginning. Mine are:
    # IPv4 only for now
    #------------------

    if [ "$FW_PROTO" != "ipv4" ]; then
    return 0
    fi

    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    # Block country addresses (exempt permitted countries)
    #
    # note the > /dev/null 2>&1 is needed for some odd reason
    ipset create country-list nethash -exist > /dev/null 2>&1
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP
    I am using a different state match which may perform a little better. I also don't use the "-i" parameter as it is not needed, but it does make the rules more specific.

    Note your firewall rule is only blocking TCP ports. As a general idea if you don't have a port open there is no need to block it, but, if you wanted, you could block everything but TCP with:
    $IPTABLES -I INPUT -i eth0 -m set --match-set country-list src ! -p tcp -m state --state NEW -j COUNTRY_BLOCK


    There is a step E. Restart the firewall. You can check the block rule exists with an:
    iptables -nvL INPUT


    Ipset will already be installed if you have the Attack Detector of IDS/IPS installed and it looks like it is part of the defaule installation these days.



    Dumb question:
    How do i choose which countries to block/allow?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 11 2020, 12:11 PM - #Permalink
    Resolved
    0 votes
    It is in the script a few posts earlier. You've only picked out the firewall part of the solution. The full solution is also in the HowTo here.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 11 2020, 02:57 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    It is in the script a few posts earlier. You've only picked out the firewall part of the solution. The full solution is also in the HowTo here.



    I want to block only from a specific list of countries.
    So can i replace
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP

    with
    $IPTABLES -I INPUT -m conntrack --ctstate NEW -m set --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP


    I'm gonna try it and post back.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 11 2020, 06:37 PM - #Permalink
    Resolved
    0 votes
    Yes that would work but check which ports and protocols you want to block.
    The reply is currently minimized Show
Your Reply