A site for both the WebMaster and the WebUser
IPCountryBlock Package
for dedicated servers
NOTE: If your web site is running on a shared server, go to the HTCountryBlock page instead. The package available on this page won't work for you.
This package makes use of the iptables firewall feature in the Linux kernel for blocking the countries that you do not want accessing your system. A utility is provided that let's you pick and choose the countries and it will also build a file containing all the iptables rulesets for you. Then with a simple command, your machine is configured to block the countries.
Everybody wants to know what something looks like before beginning with it, so I made a couple of little demos of this country blocking utility for you to check out.
I didn't make a demo of the setup utility because it's not very exciting to look at. It's just a page that appears in a web browser with a button to click that will begin the process of building the files needed for the other two utilities. Let's look at the other two main parts of this project:
First is the utility that lets you pick and choose your countries. The countries you will select will be the ones you will be blocking. This demo doesn't do anything useful, but it will show you what the user interface looks like. The default countries selected in the demo are the same ones that I block on my system. This is the program that will build the iptables file for you.
The functionality of the buttons are disabled in the demo, except for the one that loads the default selections. It actually just refreshes the page. Go ahead and check out countryiptables.php.
This next demo is a very useful one. This lets you enter an IP address and it will display the range of addresses it falls into and the country designated for that range. PLUS, it will show 6 ranges that come before it and 6 ranges that come after it. This is very handy if you just want to enter a single range of addresses into iptables with a single command. This lets you see if the countries that are immediately before or after the offending range are also ones you wish to block. This was the first utility I wrote and I used it to help me determine the range of addresses to enter as ipfilter rules into my dsl modem. I used this before creating the iptables utility and still use it to spot check any potential intruders and also to make temporary or permanent blocks. It's a handy utility because it will also show the range of addresses that are unknown. There are some new IP address ranges being added that aren't in the database yet and I can further investigate these when necessary.
This is now a real live functional demo --> iptocountry.php.
Now, if you have the system to run this on, it's free. You just download it and put it on your system. There are 4 files needed from me and one from another source, but that's free as well. Again, I've only run this on Linux with the Apache server and iptables installed in the kernel. Another requirement is the kernel mod for iptables known as "iprange". I tried and tried to get this to work and gave up. I finally came to the conclusion that I had to upgrade my kernel from the previous 2.4.x to the 2.6.x version to get the iprange module to work. You might have to as well. My documentation will show you how to check to see if iprange is working on your Linux system.
The advantage to the iprange functionality is that it allows you to use something like 218.0.0.0-218.31.255.255 instead of 218.0.0.0/11. The x.x.x.x/x function works for this particular range, but there are many, many ranges of IP addresses used by some countries where you can't do this. You will cut into a range that you do not want to block. It's well worth the time and trouble involved in getting the iprange module to work with iptables because of this.
Even without the iptables functionality, you might enjoy just using the iptocountry.php program and manually blocking particular ranges one at a time as you feel necessary.
December 17, 2006 changes: Removed the links to the outside world from the utility programs. This way, the directory you have these located in won't show up in any log files as the referrer. The log files would be on this site here, but still it's a security measure for you. Also improved countryiptsetup.php on how it lays out the database files. It helped iptocountry.php provide a better display.
Here's all four files packed into one tar.gz archive.
updated December 17, 2006
countryblock.tar.gz - This contains the 3 .php files and the documentation.
countryblock.zip - Contains the same files, but in .zip format.
If you'd like, you can also read the documentation here online before downloading.
Don't go away... you need one more file.
You'll need to pick your choice of database files, either the "ip-to-country" file or the "geoip" file. These contain all of the IP address and country information. You only need one or the other. Or you can download both and set up two different directories to try this out in and then settle on the one you like best.
NOTE: The current recommended (as of 1/5/2007) database file is the one from maxmind.com. The one from ip-to-country.webhosting.info presently has two countries listed with some empty fields that causes them to be listed without a name. It doesn't cause a real problem, but it is confusing seeing a country selection without a name. This notice will be removed once they have fixed that problem.
You can download the "ip-to-country" file for free from ip-to-country.webhosting.info. From the main page, go to the download section and look for the database file called "ip-to-country.csv". It will be a .zip file. Unzip it into the same directory where you placed the .php files from here.
Or you can download the "geoip" file from www.maxmind.com. Look for the free download called "GeoLite Country". Get the .csv version and not the binary version. You can also use their "paid for" version if you choose to do so.
You can put these files wherever you want. You can use an existing directory if you'd like, but I prefer a separate one. The only requirement is that all the files be in the same directory and that your web server has access to the directory. Your web server must also have write permissions set for this directory. Plus, after copying the files to the directory, make sure the three .php files have the correct permissions set. It's covered in the documentation. Be sure to read the documentation before loading any of these files into a web browser. You must run the setup utility first as it will create the database files from the .csv database file. Nothing will work until you do this. The files created will all end up in the same directory. The files you download from here are very small, only about 20K or so, but the .csv database file is about 3 MB - 6MB (depending on which one you select) and the database files that will get created will take up another 3 MB - 6MB, approximately.
Go ahead and have fun locking your doors. Unfortunately, this world of ours requires it.