How to block all IPs from a specific country

Yes, you can use ufw (Uncomplicated Firewall) to block IP addresses from China. However, directly adding thousands of individual IP ranges to ufw is not the most efficient method and can be quite slow and resource-intensive. A better approach is to use ipset, a tool designed to manage large sets of IP addresses, and then create a single ufw rule that references that set.

This combined approach gives you the ease of ufw‘s syntax while leveraging ipset‘s performance for handling a massive number of IP addresses.

Here is a step-by-step guide to block China’s IPs with ufw and ipset.

Step 1: Install ipset

First, you need to install ipset. This package is available in the default repositories of Debian/Ubuntu.

sudo apt-get update
sudo apt-get install ipset

Step 2: Create a Script to Manage the IP List

You’ll need a script to download the list of Chinese IP address ranges and add them to an ipset set. A popular source for these lists is ipdeny.com.

1. Create a script file. For example, you can create a file named block-china.sh in /usr/local/bin/.
   Bash

   sudo nano /usr/local/bin/block-china.sh
   

2. Add the following code to the script:
   Bash

   #!/bin/bash
   
   # --- Configuration ---
   # The name for our ipset
   IPSET_NAME="china"
   # The URL to the China IP list from ipdeny.com
   IP_LIST_URL="http://www.ipdeny.com/ipblocks/data/countries/cn.zone"
   # Temporary file to store the downloaded list
   TEMP_FILE="/tmp/${IPSET_NAME}.zone"
   # --- End Configuration ---
   
   # Check if a set with the same name already exists and destroy it
   if ipset list | grep -q "${IPSET_NAME}"; then
       echo "Destroying old ipset '${IPSET_NAME}'..."
       sudo ipset destroy "${IPSET_NAME}"
   fi
   
   # Create a new ipset with the specified name
   echo "Creating new ipset '${IPSET_NAME}'..."
   sudo ipset create "${IPSET_NAME}" hash:net
   
   # Download the latest IP list
   echo "Downloading IP list from ${IP_LIST_URL}..."
   wget -O "$TEMP_FILE" "$IP_LIST_URL"
   
   # Check if download was successful
   if [ ! -f "$TEMP_FILE" ]; then
       echo "Failed to download IP list. Exiting."
       exit 1
   fi
   
   # Add each IP address from the list to the ipset
   echo "Adding IP ranges to '${IPSET_NAME}'..."
   while read ip; do
       sudo ipset add "${IPSET_NAME}" "$ip"
   done < "$TEMP_FILE"
   
   # Clean up the temporary file
   rm "$TEMP_FILE"
   
   echo "IP set '${IPSET_NAME}' created and populated successfully."
   

3. Make the script executable:
   Bash

   sudo chmod +x /usr/local/bin/block-china.sh
   

Step 3: Run the Script and Verify ipset

Execute the script to create and populate the ipset set.

sudo /usr/local/bin/block-china.sh

You can verify that the ipset set was created correctly by running:

sudo ipset list | head

You should see output similar to this, showing the set name and some of the IP ranges:

Name: china
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 86968
References: 0
Members:
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
...

Step 4: Add the ufw Rule

Now, you can create a single ufw rule that references the ipset set you just created. This is the key step that makes the blocking efficient.

sudo ufw insert 1 deny from "ipset:china"

• sudo ufw insert 1: This command inserts the rule at the top of the list (1), which is important because ufw processes rules in order. You want to deny this traffic before any other allow rules are processed.
• deny: This action tells ufw to drop the traffic.
• from "ipset:china": This is the crucial part. It tells ufw to apply this rule to any IP address that is a member of the china ipset set.

Step 5: Verify the ufw Rules

You can check the status of your ufw rules to ensure the new rule is in place.

sudo ufw status

The output should show a deny rule at the top, referencing the china ipset set:

Status: active

To                         Action      From
--                         ------      ----
Anywhere                   DENY        in from ipset:china
... other rules ...

Step 6: Automate the Process

IP address ranges change over time. To keep your block list up to date, you should automate the script to run periodically. The best tool for this is cron.

1. Open the crontab editor:
   Bash

   sudo crontab -e
   

2. Add a line to run the script daily. This will update your ipset set with the latest IP ranges.
   Code snippet

   # Run the script to update the Chinese IP list every day at 3:00 AM
   0 3 * * * /usr/local/bin/block-china.sh
   

   This line will run the script at 3:00 AM every day.

By following these steps, you will have a robust and efficient way to block Chinese IP addresses at the firewall level using ufw and ipset. This method is highly recommended for its performance and maintainability.