In our previous article, we had mentioned the Block Visitors by Country Using Firewall page.

This page allows anyone to download the list of IP addresses for a country that they wish to block in their firewall. There is no charge for this free service.

The above process is a manual one, hence we’ve come up with an API where users can pull the list of IP addresses automatically via a scheduled task.

Subscribers to the IP2Location Firewall IP List API are able to programmatically download the IP list for multiple countries using a cronjob and loading the data automatically into their respective firewalls.

Let’s see how to automate the firewall IP list for ipset in Debian

First of all, you’ll need to subscribe to the Firewall IP List API via https://www.ip2location.com/free/visitor-blocker. You can click on the REQUEST 7-DAY TRIAL to get a feel for it first. Later on, you can upgrade to a paid service via the user area upon login.

After requesting the trial, you should receive a download token in your email. You can also view this download token in the user area. This token is required to use the API.

Pre-requisites

Before you proceed further, make sure you have the following installed in your Debian:

• iptables
• ip6tables (if you have IPv6)
• ipset
• curl

Create the 2 blacklists for storing the IPv4 and IPv6 addresses

ipset create countryblocker nethash

ipset create countryblockerv6 nethash family inet6 hashsize 65536 maxelem 131072

NOTE: Our IPv6 hashsize and maxelem are just examples. You may need to adjust for your own usage depending on which countries you wish to block.

Below is the Bash script that we’re going to use to automate the blacklist loading

Let’s call our script configureblocker.sh and paste the below codes into it. Replace the XXXXXX with your download token that we’ve mentioned above. The example below is downloading the IP addresses for Sweden (SE) and Japan (JP). Modify the country parameter for whichever countries you wish to block.

#!/bin/bash

# IPv4
curl -o firewall.gz 'https://dl.ip2location.com/v1/firewall?token=XXXXXX&country=SE|JP&format=cidr&ip_version=4'

gunzip firewall.gz

mv firewall blockcountry.sh

sed -i '/^#/d' blockcountry.sh

sed -i 's/^/ipset add countryblocker /g' blockcountry.sh

sed  -i '1i ipset flush countryblocker' blockcountry.sh

chmod +x blockcountry.sh

bash blockcountry.sh

rm blockcountry.sh

# IPv6
curl -o firewall.gz 'https://dl.ip2location.com/v1/firewall?token=XXXXXX&country=SE|JP&format=cidr&ip_version=6'

gunzip firewall.gz

mv firewall blockcountry.sh

sed -i '/^#/d' blockcountry.sh

sed -i 's/^/ipset add countryblockerv6 /g' blockcountry.sh

sed  -i '1i ipset flush countryblockerv6' blockcountry.sh

chmod +x blockcountry.sh

bash blockcountry.sh

rm blockcountry.sh

ipset save > /etc/countryblocker.ipset

Setup iptables & ip6tables with the rules to use the both IPv4 and IPv6 blacklists

We will now configure our /etc/network/if-pre-up/firewall script with the necessary rules to use the ipset blacklists. If you don’t have this script yet, create the script and assign execute permission on it.

Our example looks like below:

#!/bin/bash
IPTABLES=$(which iptables)

# Clear current rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

$IPTABLES -A INPUT -t filter -s 127.0.0.1 -j ACCEPT

# Load ipset rules
ipset restore < /etc/countryblocker.ipset > /dev/null 2>&1

# Blacklist (IPv4)
$IPTABLES -I INPUT -m set --match-set countryblocker src -p TCP --destination-port 80 -j REJECT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

IP6TABLES=$(which ip6tables)

# Clear current rules
$IP6TABLES -F
$IP6TABLES -X
$IP6TABLES -Z

# Blacklist (IPv6)
$IP6TABLES -I INPUT -m set --match-set countryblockerv6 src -p TCP --destination-port 80 -j REJECT

If you see the above script, we are reloading the saved ipset configuration. Then we’ve added 2 rules; 1 is for reading the IPv4 blacklist while another is doing the same for IPv6. Our example is specifically for blocking port 80 which is the web server port. You can tweak the script to fit your own scenarios.

Reload the firewall to let the blacklists take effect

You can reboot the server or run the /etc/network/if-pre-up/firewall script. That should reload the firewall settings.

Setting up the cronjob to automatically update the blacklists

In the /etc/crontab file, you can add the below to run the script for updating the blacklists on a set schedule. Our example below assumes that our script is in the /root folder and we want to run it on the 1^st of every month at 8:30am.

30 8 1 * * root bash /root/configureblocker.sh >/dev/null 2>&1