LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Only allow US ip addresses
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-08-2007, 04:52 PM   #1
jonfa
Member
 
Registered: Mar 2001
Location: FL
Posts: 257

Rep: Reputation: 30
Only allow US ip addresses

Hi All,

If I wanted to Block every ip address except those from the United States how can I do this with iptables?

Can I do something like this:

/sbin/iptables -I INPUT -s IPADDRESS/SUBNET -j ACCEPT

My question is I want to block every IP address that I do not specify and only allow those I do specify.

Thanks.
 
Old 03-08-2007, 06:45 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Sure. The easiest way is to add rules for the systems you want to allow and then use a rule at the end to drop everything else that isn't matched (or just make your default INPUT policy DROP or REJECT. So to give you an example, if I want to allow 192.168.0.1 and the range 10.10.10.0-10.10.10.255 I'd use:

Code:
iptables -A INPUT -s 192.168.0.1/32 -j ACCEPT
iptables -A INPUT -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -j REJECT
or alternatively:

Code:
iptables -P INPUT REJECT
iptables -A INPUT -s 192.168.0.1/32 -j ACCEPT
iptables -A INPUT -s 10.10.10.0/24 -j ACCEPT
Those are obviously rudimentary examples and you'll need more rules for a functioning firewall. If you want to allow just the U.S. that might be a bit more tricky, specifically finding a list of which IPs are specific to the US. I think I've seen similar lists like that before but I don't remember where. You may have some luck on google though.
 
Old 03-08-2007, 07:50 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
or you could use iptables' geoip match module... from man iptables:
Code:
geoip
       Match a packet by its source or destination country.

       [!] --src-cc, --source-country country[,country,country,...]
              Match packet coming from (one of) the specified country(ies)

       [!] --dst-cc, --destination-country country[,country,country,...]
              Match packet going to (one of) the specified country(ies)

       NOTE:  The country is inputed by its ISO3166 code.

       The  only extra files you need is a binary db (geoipdb.bin) & its index
       file (geoipdb.idx).  Both files are generated from a countries  &  sub‐
       nets   database   with   the   csv2bin  tool,  available  at  www.cook‐
       inglinux.org/geoip/. Both files MUST also be moved  in  /var/geoip/  as
       the  shared  library  is  statically  looking  for  that pathname (ex.:
       /var/geoip/geoipdb.bin).
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mapping IP addresses to MAC addresses basilio Linux - Networking 17 09-12-2007 01:48 AM
mechanics of mapping process memory addresses to physical addresses on amd64 Tischbein Linux - Kernel 2 02-01-2007 08:09 PM
several ip addresses kilgor SUSE / openSUSE 1 01-19-2006 11:39 AM
IP addresses boakye Linux - Enterprise 1 01-31-2005 08:16 PM
IP addresses ruhode Linux - Software 2 09-09-2002 04:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration