Whitelist Entire Country with ipset

Goal: Whitelist an Entire Country with ipset For this article i’ll be referencing the github repository I set up at

https://github.com/ssstonebraker/braker-scripts/tree/master/working-scripts/ipset We have a few files there, specifically:
* cidr_to_ipset.sh (a script to create an ipset ruleset)
* Some example CIDR blocks for Italy (IT.txt), Spain (ES.txt), Great Britian (GB.txt), USA (US.TXT)
* sample_firewall.txt (example exported iptables)

Using the repo To create an ipset called “ES” with all of Spain’s IP addresses run this command:

./cidr_to_ipset.sh ES.txt

To view the ipset “ES” run this:

ipset -L ES

Creating Firewall Rules To whitelist Spain, France, and Great Britian on port 80:

:OUTPUT ACCEPT [58:6894]
:FWR -

#all traffic to FWR chain

#accecpt local
-A FWR -i lo -j ACCEPT

# Any established connection is money

# ICMP echo permitted
#-A FWR -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Permit my management ip in
-A FWR -s -p tcp -m tcp --dport 22 -j ACCEPT
-A FWR -s -p tcp -m tcp --dport 80 -j ACCEPT

#Whitelist these ipset's and permit them to connect on port 80
#We ran the following commands to create the match sets:
# ./cidr_to_ipset.sh GB.txt
# ./cidr_to_ipset.sh ES.txt
# ./cidr_to_ipset.sh FR.txt
-A FWR -m set --match-set GB src -p tcp -m tcp --dport 80 -j ACCEPT
-A FWR -m set --match-set ES src -p tcp -m tcp --dport 80 -j ACCEPT
-A FWR -m set --match-set FR src -p tcp -m tcp --dport 80 -j ACCEPT

# log iptables denied calls
-A FWR -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Rejects all remaining connections with port-unreachable errors.
-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable

#Reject all udp traffic
-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable

1 comment to Whitelist Entire Country with ipset

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>