Drop/reject all packets from region

  • I'm running a GCE free tier VPS with Debian 9 and the only thing that costs me money is egress traffic to Asia. It only contains services for personal use and I live in Europe so there's no reason not to drop that traffic.

    Is it possible to get a script that runs as a cron job and pulls IP adress ranges for Asia and updates IP tables to drop those requests? Or would that list possibly just be to large? Would it be easier to allow a single countries IP ranges and drop all other requests? For example allow the ranges in this list? http://www.iwik.org/ipcountry/NO.cidr or http://www.ipdeny.com/ipblocks/data/aggregated/no-aggregated.zone

    There's also this https://www.countryipblocks.net/acl.php which gives you the actual IP tables rules ready to run but I'm not sure if it's possible to automate a request to get them updated.

  • administrators

    Hello @jafinn i have checked out the https://www.countryipblocks.net/acl.php, it took a while to generate and pull the whole list of Asia.
    At the moment list is consisted of 81522 entries.

    Since it is GCE free tier, it could hog your resources a bit.
    Other aspect is that you will have to rely to some website/API on accuracy of the list.

    If you want the script, it would be probably best to allow only your country but yet you still have to rely on 3rd party service for accuracy which could potentially in theory lock you out.

    Have you heard of CloudFlare - free tier ? For more info visit https://www.cloudflare.com

    You can utilize their free services for reverse proxy, aggressive caching and challenge (captcha for suspicious traffic, for example bots, botnets,etc...)
    They even provide a list of their IP addresses here https://www.cloudflare.com/ips/, so that you can utilize iptables, or dynamically update nginx ACL from lists to allow web traffic trough them only (all traffic will be trough reverse proxy and filtered and cached). I am just throwing idea here so let me know what you think 🙂 ?

    FYI we are using CF on shell5.dev and forum 😉

  • @filips said in Drop/reject all packets from region:

    Since it is GCE free tier, it could hog your resources a bit.

    Yeah, I considered that but figured it will only need to run once a day/week and slow down the system while it's running. The question is really how long it will need to finish. 30 min slowdown I can live with, 6 hours is probably going to be a pain in the backside..

    Other aspect is that you will have to rely to some website/API on accuracy of the list.

    Yes, but it shouldn't matter if it's not 100% accurate as long as it stops the majority of the traffic. But yes, if the website goes down/API changes it won't work anymore.

    could potentially in theory lock you out.

    Yes, that's a good point. The only ports that are open are 22/80/443. It should probably just drop packets on 80/443 and respond to 22 regardless of location. Then I'll have access to manually correct it if needed.

    If you want the script, it would be probably best to allow only your country

    Yeah, I figured that might be the best option as there's a lot less people in my country than in Asia:)

    Have you heard of CloudFlare - free tier ? For more info visit https://www.cloudflare.com

    I've heard of them but never used them. I'll have a look and see if that's potentially a better option. Thanks for the suggestion, I'll get back to you and let you know what I find.

  • administrators

    @jafinn So your services are only listening on 80/443 ? Are you using Apache, Nginx or something else? Nginx (if compiled with it) has great geo ip module that can achieve what you want quite easily.

    However, if you prefer to stick with iptables I started working on a script that might help you out with what you want.

  • administrators

    @jafinn Hey, just a quick update regarding this. I created a script, but there are some issues with iptables geoip module. I'm still working on it, I'll let you know about a progress.

  • administrators

    After long testing on couple of different Debian 9 boxes, it looks like geoip iptables module might be broken on that distribution (or maybe that kernel version).
    Problem is if you enter a single rule that should drop let's say traffic from China on port 80/443, it drops all incoming connections on those ports (or all incoming traffic if you don't specify ports).
    I've also found topic with similar issue on Stack Overflow.

    So I took different approach, this is doing exactly what you want, it will drop all traffic from Asia based on country codes of countries that are located in Asia.
    However, instead of utilizing geoip module, this one is focused directly on using a lot of IP ranges and creating bunch of iptables rules (75209 to be precise). Zones are downloaded from here: http://www.ipdeny.com/ipblocks/data/countries/

    This script is based on great work of Cyberciti's Vivek, you can find his example on: https://www.cyberciti.biz/faq/block-entier-country-using-iptables/

    Main drawback of this approach is time and CPU resources that are needed for this to complete. On a box with single CPU core, and 1GB of RAM it took 50 minutes to complete (and I really advise you to save those rules so they persist through machine restart, script will prompt you to do that at the end), but after that you're good to go.

    I deployed nginx server on node that was used for testing, tried to access it from India and China proxies, and connection timed out. So it does achieve what you want, and it should work properly on any Debian based distribution.

    While script is thoroughly tested, please be sure that you can access node directly from your provider panel as well, in case something goes wrong and you get blocked.
    For GCP I believe this is it: https://cloud.google.com/shell/

    For anyone else that might be reading this, if you're located in Asia, DO NOT RUN this script. It will block access to your machine.

    One important note: This script WILL FLUSH ALL iptables rules you might have, so if you do have some rules set already, be sure to back them up.

    Gitlab script directory: https://git.shell5.dev/shell5dev/installation-scripts/tree/master/jafinn-iptables-geoip
    Gitlab master repo: https://git.shell5.dev/shell5dev/installation-scripts
    Github mirror: https://github.com/shell5dev/Installation-Scripts

    Tested on:
    Multiple Debian 9 nodes

    Happy testing and let us know how it works 🙂

Log in to reply