(iptables) how to drop all incoming traffic except a few ip-ranges (default drop; allow only one country)

Question

my goal is to drop with iptables more or less every request from non-german countries.

the best solution that is working in 2022 is this five year old script.

(Source: https://www.cyberciti.biz/faq/block-entier-country-using-iptables/)

with the help of this script-template and some iptables tutorials I'm able to allow (more or less accurate) only German IP-Ranges.

This is my modified script: (it's not optimized yet, but should block every non-german IP-Requests)

ISO="de"
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
$IPT -F
$IPT -N $SPAMLIST
for c  in $ISO
do 
    tDB=$ZONEROOT/$c.zone
    $WGET -O $tDB $DLROOT/$c.zone
    BADIPS=$(egrep -v "^#|^$" $tDB)
    for ipblock in $BADIPS
    do
       $IPT -A $SPAMLIST ! -s $ipblock -j DROP
    done
done
exit 0

but if I let the script run, it creates the rule and then I want to make the default rule "incoming traffic" to drop, he locks me instantly out.

I know, IP tables is processing the rules from top to button, but now I'm not sure how to handle it in the script.

Or do I don't need to make the default incoming chain/rule to block everything, because I already blocked everything except German IP Adresses? Or should I put the default drop on top of the script? this is how I'd edit the default incoming rule:

iptables --policy INPUT DROP

... but it feels kinda bad, if I let the default incoming rule untouched .. what do you think?

in the end I'd like to:

block everything by default
- except German IP Adresses
- and open about ~5 ports (only for German IP-Adresses)

If I could handle this in only one script, that's always running on boot, I'd be really happy! :-)

P.S: I'm sure, I'm not the only one who is looking for a up2date solution for this task, it would be awesome if some people could help to find a solution for this case :-)

Doug Smythies · Answer 1 · 2022-06-04T15:37:52.283

There are multiple issues with your script. This answer uses your basic structure, however it is recommended that you use ipset for your allow list instead (in future I might add a ipset method to this answer). Modified script:

#!/bin/bash
ISO="de"
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
ALLOWLIST="countryaccept"
ZONEROOT="/home/doug/iptables/misc/ask1412134/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
UNIVERSE="0.0.0.0/0"
The network interface card is set for my test computer. Change to users NIC name.

NIC=br0
echo ask1412134 begin.
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
set default policy to ACCEPT while we build the list

$IPT -P INPUT ACCEPT
flush all rules

$IPT -F
$IPT -N $ALLOWLIST
build the list

for c  in $ISO
do
    tDB=$ZONEROOT/$c.zone
    $WGET -O $tDB $DLROOT/$c.zone
    GOODIPS=$(egrep -v "^#|^$" $tDB)
    for ippermit in $GOODIPS
    do
       $IPT -A $ALLOWLIST -s $ippermit -j ACCEPT
    done
done
add the usual INPUT ACCEPT rules

loopback interfaces are valid.

$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
Allow any related traffic coming back to the server in.

$IPT -A INPUT -i $NIC -m state --state ESTABLISHED,RELATED -j ACCEPT
All other traffic needs to be verified as being from Germany

$IPT -A INPUT -i $NIC -j $ALLOWLIST
SPECIAL: For my test computer:
Allow new SSH connections from my desktop
The end user will remove this.

$IPT -A INPUT -i $NIC -s 192.168.111.122 -d 192.168.111.136 -p tcp --dport 22 -j ACCEPT
For unknown reasons the INPUT chain policy packet counter is not incrementing,
even though it seems to be working fine. Specifically add a log-n-drop rule pair here.

$IPT -A INPUT -j LOG --log-prefix "IBLOCK:" --log-level info
$IPT -A INPUT -j DROP
Now we are ready for DROP default policy

$IPT -P INPUT DROP
echo ask1412134 done.

Example use:

doug@s19:~/iptables/misc/ask1412134$ sudo iptables -xvnL | head -20
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       2      100 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
     154     9024 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
     208    42712 countryaccept  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     tcp  --  br0    *       192.168.111.122      192.168.111.136      tcp dpt:22
     208    42712 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "IBLOCK:"
     208    42712 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
Chain countryaccept (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       192.69.234.0/24      0.0.0.0/0
       0        0 ACCEPT     all  --  *      *       198.176.223.0/24     0.0.0.0/0
       0        0 ACCEPT     all  --  *      *       198.176.224.0/22     0.0.0.0/0

and, where I had a ping going from an unauthorized computer:

doug@s19:~/iptables/misc/ask1412134$ grep IBLOCK /var/log/syslog
Jun  4 08:20:11 s19 kernel: [686010.878096] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39198 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1056
Jun  4 08:20:12 s19 kernel: [686011.918074] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39211 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1057
Jun  4 08:20:13 s19 kernel: [686012.709961] IBLOCK:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:84:ea:ed:46:57:cc:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
Jun  4 08:20:13 s19 kernel: [686012.958083] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1058
Jun  4 08:20:14 s19 kernel: [686013.998108] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39269 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1059
Jun  4 08:20:15 s19 kernel: [686015.038138] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39345 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1060

(iptables) how to drop all incoming traffic except a few ip-ranges (default drop; allow only one country)

1 Answers1

The network interface card is set for my test computer. Change to users NIC name.

set default policy to ACCEPT while we build the list

flush all rules

build the list

add the usual INPUT ACCEPT rules

loopback interfaces are valid.

Allow any related traffic coming back to the server in.

All other traffic needs to be verified as being from Germany

SPECIAL: For my test computer:

Allow new SSH connections from my desktop

The end user will remove this.

For unknown reasons the INPUT chain policy packet counter is not incrementing,

even though it seems to be working fine. Specifically add a log-n-drop rule pair here.

Now we are ready for DROP default policy