Building a better world with people, process, & technology

Targeted IP Blocking – Align Web Services to Your Target Markets

Every morning I review a report on internet traffic coming through my servers. I am usually checking to ensure Google is indexing my sites properly, identifying potential prospects from web hits, verifying the spam and anti-virus filters are doing their jobs, and reviewing any new attack vectors that might compromise my perimeter security. The last brought an interesting point to the fore.

Much, if not all, the undesired traffic to my open internet servers originated from Korea and China. This actually accounted for quite a large percentage of my traffic overall. Taking a closer look at the profile, it became obvious that eliminating traffic from these countries would reduce overall bandwidth requirements and improve general serviceability of the public facing network. Since we have no intention of pursuing business in China or Korea, this strategy on the surface provides better focus of network resources to address the needs of our current and target client base.

Achieving this was relatively simple, however there were some challenges. We needed to ensure that legitimate clients travelling abroad still had access to critical services and we could not block responses from those countries as certain software update sites are hosted in those geographies. We adopted a script initially created by Vivek Gite and posted at his blog site to block traffic by country using iptables in Linux and modified it accordingly to allow for the above capabilities. We also tuned the initial script for better run time performance profiling and reduced the demand on the network of the service provider hosting the list of international IP mappings by country.

The end result of implementing this strategy is generally more reliable network performance and a large reduction in network based attacks on our infrastructure. The reduction in the attack level has reduced the overhead of verifying security has held up against each attack as well since these costs increase linearly with the number of attacks against the network. We implemented the firewall as a hierarchical tree and have an optional configuration to allow for use of ipsets if they are identified as supported in the target system.

You can download our enhanced version of the script from sourceforge or read the running commentary at Vivek Gite’s blog site for additional information or alternative implementations of the script.


  1. August 13, 2013    

    Very good work, thank you very much for the country_block script, i am using it to drop russia, seems that i am assaulted from russia with any kind of spam, hack, dos , and so on ….. no more mother russia on my server :)
    Thank you very much !

  2. Simon's Gravatar Simon
    September 1, 2014    

    Is you link broekn?

    • September 2, 2014    

      Thanks Simon – we had restructured our corporate pages and had not updated the link in this post – the link is now updated.

  3. November 5, 2014    

    Thanks David, very useful.

  4. GHN's Gravatar GHN
    April 6, 2015    

    Can you please give me a step by step method describing how to implement this on my edge ClearOS box, I would very much like to block unnecessary / unwated traffic from countries I have no desire to communicate with. Thank you for your efforts creating this improved script, I have been looking for something like this for a very long time.

    I’m not great with iptables but would like to learn more, this script seems like a great drop in solution for packet dropping unwanted country IP’s

    I would like to know how to backup the original iptables, incase I need to revert
    how to step by step implement this to block many countries

    what can you tell me about the resource load required as some others have mentioned in the Vivek post?

    what are your thoughts on IP sets


    • April 6, 2015    

      I had implemented this initially as just a SysV init script but have made it work with systemd as well. I created a project on sourceforge today to hold the source files and an rpm for each of SysV and systemd initializations. If you install one of those RPMs it ‘should’ allow you to configure this by making simple changes in the /etc/sysconfig/iptables-cb-config file. I’ll be verifying the clean install today on our AWS instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current ye@r *

Whitepapers & Presentations

Contact us for access

We are proficient in BPM delivery with hands on platform expertise in Pegasystems PRPC platform!