How to block all IPs from a specific country

Posted: 03/08/2025/Under: Programming/By: mirage

https://gemini.google.com/share/ef5ee9c9b31a

Yes, you can use ufw (Uncomplicated Firewall) to block IP addresses from China. However, directly adding thousands of individual IP ranges to ufw is not the most efficient method and can be quite slow and resource-intensive. A better approach is to use ipset, a tool designed to manage large sets of IP addresses, and then create a single ufw rule that references that set.

This combined approach gives you the ease of ufw‘s syntax while leveraging ipset‘s performance for handling a massive number of IP addresses.

Here is a step-by-step guide to block China’s IPs with ufw and ipset.

 

Step 1: Install ipset

 

First, you need to install ipset. This package is available in the default repositories of Debian/Ubuntu.

Bash

sudo apt-get update
sudo apt-get install ipset

 

Step 2: Create a Script to Manage the IP List

 

You’ll need a script to download the list of Chinese IP address ranges and add them to an ipset set. A popular source for these lists is ipdeny.com.

  1. Create a script file. For example, you can create a file named block-china.sh in /usr/local/bin/.
    Bash

    sudo nano /usr/local/bin/block-china.sh
  2. Add the following code to the script:
    Bash

    #!/bin/bash

# --- Configuration ---
# The name for our ipset
IPSET_NAME="china"
# The URL to the China IP list from ipdeny.com
IP_LIST_URL="http://www.ipdeny.com/ipblocks/data/countries/cn.zone"
# Temporary file to store the downloaded list
TEMP_FILE="/tmp/${IPSET_NAME}.zone"
# --- End Configuration ---

# Check if a set with the same name already exists and destroy it
if ipset list | grep -q "${IPSET_NAME}"; then
    echo "Destroying old ipset '${IPSET_NAME}'..."
    sudo ipset destroy "${IPSET_NAME}"
fi

# Create a new ipset with the specified name
echo "Creating new ipset '${IPSET_NAME}'..."
sudo ipset create "${IPSET_NAME}" hash:net

# Download the latest IP list
echo "Downloading IP list from ${IP_LIST_URL}..."
wget -O "$TEMP_FILE" "$IP_LIST_URL"

# Check if download was successful
if [ ! -f "$TEMP_FILE" ]; then
    echo "Failed to download IP list. Exiting."
    exit 1
fi

# Add each IP address from the list to the ipset
echo "Adding IP ranges to '${IPSET_NAME}'..."
while read ip; do
    sudo ipset add "${IPSET_NAME}" "$ip"
done < "$TEMP_FILE"

# Clean up the temporary file
rm "$TEMP_FILE"

echo "IP set '${IPSET_NAME}' created and populated successfully."
  3. Make the script executable:
    Bash

    sudo chmod +x /usr/local/bin/block-china.sh

 

Step 3: Run the Script and Verify ipset

 

Execute the script to create and populate the ipset set.

Bash

sudo /usr/local/bin/block-china.sh

You can verify that the ipset set was created correctly by running:

Bash

sudo ipset list | head

You should see output similar to this, showing the set name and some of the IP ranges:

Name: china
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 86968
References: 0
Members:
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
...

 

Step 4: Add the ufw Rule

 

Now, you can create a single ufw rule that references the ipset set you just created. This is the key step that makes the blocking efficient.

Bash

sudo ufw insert 1 deny from "ipset:china"
  • sudo ufw insert 1: This command inserts the rule at the top of the list (1), which is important because ufw processes rules in order. You want to deny this traffic before any other allow rules are processed.
  • deny: This action tells ufw to drop the traffic.
  • from "ipset:china": This is the crucial part. It tells ufw to apply this rule to any IP address that is a member of the china ipset set.

 

Step 5: Verify the ufw Rules

 

You can check the status of your ufw rules to ensure the new rule is in place.

Bash

sudo ufw status

The output should show a deny rule at the top, referencing the china ipset set:

Status: active

To                         Action      From
--                         ------      ----
Anywhere                   DENY        in from ipset:china
... other rules ...

 

Step 6: Automate the Process

 

IP address ranges change over time. To keep your block list up to date, you should automate the script to run periodically. The best tool for this is cron.

  1. Open the crontab editor:
    Bash

    sudo crontab -e
  2. Add a line to run the script daily. This will update your ipset set with the latest IP ranges.
    Code snippet

    # Run the script to update the Chinese IP list every day at 3:00 AM
0 3 * * * /usr/local/bin/block-china.sh

    This line will run the script at 3:00 AM every day.

By following these steps, you will have a robust and efficient way to block Chinese IP addresses at the firewall level using ufw and ipset. This method is highly recommended for its performance and maintainability.

 

facebookShare on Facebook
TwitterTweet
FollowFollow us
PinterestSave

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments