Building a better world with people, process, & technology

Targeted IP Blocking – Align Web Services to Your Target Markets

Every morning I review a report on internet traffic coming through my servers. I am usually checking to ensure Google is indexing my sites properly, identifying potential prospects from web hits, verifying the spam and anti-virus filters are doing their jobs, and reviewing any new attack vectors that might compromise my perimeter security. The last brought an interesting point to the fore.

Much, if not all, the undesired traffic to my open internet servers originated from Korea and China. This actually accounted for quite a large percentage of my traffic overall. Taking a closer look at the profile, it became obvious that eliminating traffic from these countries would reduce overall bandwidth requirements and improve general serviceability of the public facing network. Since we have no intention of pursuing business in China or Korea, this strategy on the surface provides better focus of network resources to address the needs of our current and target client base.

Achieving this was relatively simple, however there were some challenges. We needed to ensure that legitimate clients travelling abroad still had access to critical services and we could not block responses from those countries as certain software update sites are hosted in those geographies. We adopted a script initially created by Vivek Gite and posted at his blog site to block traffic by country using iptables in Linux and modified it accordingly to allow for the above capabilities. We also tuned the initial script for better run time performance profiling and reduced the demand on the network of the service provider hosting the list of international IP mappings by country.

The end result of implementing this strategy is generally more reliable network performance and a large reduction in network based attacks on our infrastructure. The reduction in the attack level has reduced the overhead of verifying security has held up against each attack as well since these costs increase linearly with the number of attacks against the network. We implemented the firewall as a hierarchical tree and have an optional configuration to allow for use of ipsets if they are identified as supported in the target system.

You can download our enhanced version of the script from sourceforge or read the running commentary at Vivek Gite’s blog site for additional information or alternative implementations of the script.


  1. August 13, 2013    

    Very good work, thank you very much for the country_block script, i am using it to drop russia, seems that i am assaulted from russia with any kind of spam, hack, dos , and so on ….. no more mother russia on my server :)
    Thank you very much !

  2. Simon's Gravatar Simon
    September 1, 2014    

    Is you link broekn?

    • September 2, 2014    

      Thanks Simon – we had restructured our corporate pages and had not updated the link in this post – the link is now updated.

  3. November 5, 2014    

    Thanks David, very useful.

  4. GHN's Gravatar GHN
    April 6, 2015    

    Can you please give me a step by step method describing how to implement this on my edge ClearOS box, I would very much like to block unnecessary / unwated traffic from countries I have no desire to communicate with. Thank you for your efforts creating this improved script, I have been looking for something like this for a very long time.

    I’m not great with iptables but would like to learn more, this script seems like a great drop in solution for packet dropping unwanted country IP’s

    I would like to know how to backup the original iptables, incase I need to revert
    how to step by step implement this to block many countries

    what can you tell me about the resource load required as some others have mentioned in the Vivek post?

    what are your thoughts on IP sets


    • April 6, 2015    

      I had implemented this initially as just a SysV init script but have made it work with systemd as well. I created a project on sourceforge today to hold the source files and an rpm for each of SysV and systemd initializations. If you install one of those RPMs it ‘should’ allow you to configure this by making simple changes in the /etc/sysconfig/iptables-cb-config file. I’ll be verifying the clean install today on our AWS instance.

  5. Vanessa's Gravatar Vanessa
    October 14, 2015    

    Hi David

    Thanks for creating this.

    I’m on a VPS using Ubuntu 14.04 LTS. Could you provide a step-by-step beginners guide on how to install and activate your scripts?

    I unzipped the file on my VPS. But what do I do next? I read the README and it says the apply config settings in /ect/sysconfig/iptables-cb. So do I need to create this folder and copy one of the unzipped files there? There are 6 files, not sure which one does what or what to do next.

    • October 14, 2015    

      Vanessa – we don’t run on Ubuntu, but if 14.04 is still a SysV init, you would likely perform the following steps:

      1. Copy iptables.cb and iptables-cb-config to /etc/sysconfig – edit the configuration per the README
      2. Copy ipset.init and iptables-cb.init to the /etc/rc.d/init.d directory. Note that I would rename the files to not have the .init extension if copying to those directories.
      3. Enable the ipset and iptables-cb services (the renamed / copied files in the /etc/rc.d/init.d directory) through whatever mechanism Ubuntu uses to enable services

      The first time the service is run, it should populate the cache of IPs by country from the online sources. The RPM files install the prerequisites, but if you are installing manually on Ubuntu you will need to install those yourself (wget, egrep, iptables, and optionally ipset)

      • Vanessa's Gravatar Vanessa
        October 17, 2015    


        Thanks for replying with the detailed “How To”. Perhaps, it can be included in the README of a future version.

        Unfortunately, I was unable to get this installed. Ubuntu (checked 12.04 and 14.04) doesn’t have a etc/sysconfig folder.

        Any ideas? In my /etc/network/interfaces file I import my iptable rules via: pre-up iptables-restore < /etc/path_to/my_iptables.rules.

        Wondering if I can do they same thing with your iptables.cb and iptables-cb-config files? For example: pre-up iptables-restore < /etc/path_to/iptables-cb-config

        I suppose I would also need to modify "iptables-cb.init" so it can know the new path?

        • October 17, 2015    

          You are free to modify the script however you wish – if you can identify the ‘Ubunutu’ way of implementing and configuring system services, just reply to this thread so others can benefit. I tried to keep the structure of the script such that it could be customized for different distributions by changing a few environment settings at the top.

          Frankly, if you’re not familiar with system administration actions at a command line level in your environment, the easiest thing to do is likely just create the /etc/sysconfig folder and follow the previous instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current ye@r *

Whitepapers & Presentations

Contact us for access

We are proficient in BPM delivery with hands on platform expertise in Pegasystems PRPC platform!