iptables +block country

Sandy Harris sandyinchina at gmail.com
Mon Aug 16 07:32:25 UTC 2010


On Mon, Aug 16, 2010 at 12:31 PM, NoOp <glgxg at sbcglobal.net> wrote:

> With apologies to our Chinese list subscribers...

I'm not Chinese, but I am in China. I'm not inclined to accept the
apology. We have enough trouble with Great Firewall without
also having to contend with blocking on your end.

> I'm tiring of unsecured probes from unsecured Chinese machines. ...

Understandable.

> So on
> every local machine I've simply decided to block all of China.

Can you do something more restricted that is just as
effective? Reject requests for SSH connections from
China? Reject only blocks from which you have seen
probes? ...?

> http://blacklist.linuxadmin.org/ has a handy tool to blocklist by
> country & port. I've modified the ouput to block via iptables, but
> wonder if the following sample is correct:
>
> #!/bin/bash
> # china blocklist
> # generated from http://blacklists.linuxadmin.org
>
> /sbin/iptables -A INPUT -p tcp -s 58.14.0.0/15 -j REJECT
> /sbin/iptables -A INPUT -p tcp -s 58.16.0.0/13 -j REJECT
> /sbin/iptables -A INPUT -p tcp -s 58.24.0.0/15 -j REJECT
>
> Any advise as to if this is correct?

I do not know if it is correct as far as it goes. It is certainly
not complete. My current IP address (from China Telecom
in Shanghai) is not on it.




More information about the ubuntu-users mailing list