OpenBSD Journal

How to block traffic by country-IPs?

Contributed by tbert on from the blocking the blockable blockheads dept.

Stefan Wollny wrote in with this blocking by regions article:

Every now and then the same question arises on the mailing-lists: "How to block traffic from a country altogether?" While this is a "no-go" in a business-minded environment this question may be valid for a private network. If you have not the slightest doubt that there has never been and will never be any contact to servers located e.g. in Belarus ever it might rightfully assumed that blocking IPs related to Belarus should not only do no harm but will a little bit improve the security of your home network.

The obvious solution to OpenBSD-users is "Use PF!" (and alike to users of other BSDs and OS-X, of course). The core task is to collect IPs of the country to be blocked. One possible solution is to go to ipdeny.com and copy the zone-file for the country (or countries) of interest to your router and/or laptop. Put those IPs into a file that PF can load as a table and let PF block those IPs for you. But please respect ipdeny.com's usage policy.

Here is a "hands-on"-example:
I find it helpful to have a directory for any files that belong to PF.

    $ sudo mkdir /etc/pf-files

In /etc/pf.conf the following needs to be added:

1. In the prerequisites-section add:

    table <blocked_zones> persist file "/etc/pf-files/blocked_zones"

2. In the block-section add early:

    block in quick proto tcp from <blocked_zones> to any port { 22 80 }

With the following little script a couple of zone files will be fetched from ipdeny.com and imported into the file blocked_zones.

#!/bin/sh
#
# Diclaimer:
# This is an example - no liablity _at all_ for any actual usage!
#
cd ~/tmp	# or any other...
# -4 = use IPv4 only
# --no-proxy = don't care for proxies 
# --no-cookies = don't accept cookies 
# --no-cache = no cached files
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/cn.zone # CHINA
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/az.zone # AZERBAIJAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/by.zone # BELARUS
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/kz.zone # KAZAKHSTAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/kg.zone # KYRGYZSTAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/ru.zone # RUSSIAN FEDERATION
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/tj.zone # TAJIKISTAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/tm.zone # TURKMENISTAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/uz.zone # UZBEKISTAN
wget -4 --no-proxy --no-cookies --no-cache \
	http://ipdeny.com/ipblocks/data/countries/vn.zone # VIET NAM
#
cat cn.zone >  blocked_zones
cat az.zone >> blocked_zones
cat by.zone >> blocked_zones
cat kz.zone >> blocked_zones
cat kg.zone >> blocked_zones
cat ru.zone >> blocked_zones
cat tj.zone >> blocked_zones
cat tm.zone >> blocked_zones
cat uz.zone >> blocked_zones
cat vn.zone >> blocked_zones
#
rm *.zone
#
sudo mv blocked_zones /etc/pf-files/
sudo pfctl -f /etc/pf.conf
#
cd
#

Some notes:

1. I know that this script might easily be written in a more elegant manner. It is simply to explain what is happening. Of course if you want to add 50+ more countries ... feel free to do it your way.

2. It is up to you to judge if ipdeny.com's collection is trustworthy - I refuse any liability. I have no means to check the completeness or correctness. Their site is merely provided as a 'how-to' example.

3. If e.g. you block Russian IPs (as in the given example) and some Win-PC/laptop behind the OpenBSD-firewall is secured additionally by a popular Russian based anti-virus program make sure you still get updates of the virus definitions. Basically the same applies if some of your systems need firmware that is provided on a server from one of the countries on your list. Test it!

4. Tell those relying on your administration of PF what you intend to do - they might need a particular address you would be blocking otherwise.

5. Again: This script is an example - you ought to know yourself what you are doing and what is legally prohibited in your country of residence.

Finally I'd like to say THANK YOU to the OpenBSD-devs for giving us this fine OS and PF; and this time in particular to Peter Hansteen for his excellent online tutorial of PF accompanying the PF-FAQ (and the man-pages, of course). Did you know that the 3. Edition his 'The Book of PF' will appear soon - get it!

(Comments are closed)


Comments
  1. By Anonymous Coward (37.187.2.129) on

    Your script would probably be more readable, not use static files, not require wget which is not in base and respect ipdeny policies this way:

    #!/bin/sh

    PFDIR=/etc/pf-files
    ZONEFILE=blocked_zones

    mkdir -p ${PFDIR}
    > ${PFDIR}/${ZONEFILE}

    for ZONE in cn az by kz kg ru tj tm uz vn
    do
    ftp -o - http://ipdeny.com/ipblocks/data/countries/${ZONE}.zone >> ${PFDIR}/${ZONEFILE}
    sleep 1 #respect ipdeny policies
    done

    pfctl -f /etc/pf.conf

    Comments
    1. By Pedro Caetano (89.115.30.144) pedrocaetano@binaryflows.com on

      > Your script would probably be more readable, not use static files, not require wget which is not in base and respect ipdeny policies this way:
      >
      > #!/bin/sh
      >
      > PFDIR=/etc/pf-files
      > ZONEFILE=blocked_zones
      >
      > mkdir -p ${PFDIR}
      > > ${PFDIR}/${ZONEFILE}
      >
      > for ZONE in cn az by kz kg ru tj tm uz vn
      > do
      > ftp -o - http://ipdeny.com/ipblocks/data/countries/${ZONE}.zone >> ${PFDIR}/${ZONEFILE}
      > sleep 1 #respect ipdeny policies
      > done
      >
      > pfctl -f /etc/pf.conf
      >

      Hi,

      Instead of reloading the ruleset each time crontab executes this script, it should better running the following:

      pfctl -t blocked_zones -T replace `cat ${PFDIR}/${ZONEFILE}`

  2. By Anonymous Coward (79.129.79.91) on

    There is a date string in the middle of the rule that seems to be there by mistake:

    block in quick proto tcp from <blocked_zones>10:05 22.05.2014 to any port { 22 80 }

    Comments
    1. By Stefan Wollny (212.34.73.4) on

      > There is a date string in the middle of the rule that seems to be there by mistake:
      > block in quick proto tcp from <blocked_zones>10:05 22.05.2014 to any port { 22 80 }

      Quite obviouly you are right - that sneaked in.

  3. By sthen (85.158.44.149) on

    Having looked at 3 or 4 countries "ip address lists" from this site, both some quick samples by eye (I don't *think* all of Canada is behind a single /24...), and comparing some of their lists against the geolite database, I'm not too happy with the quality of data they are giving out.

    For example: their blocks shown as being in Germany show up on geolite as including addresses in Afghanistan, Austria, Belgium, Brazil, Belize, Switzerland, Estonia, Europe, France, United Kingdom, Hungary, Ireland, Iraq, Italy, Luxembourg, Netherlands, Poland, Romania, Russian Federation, Singapore, Slovenia, Turkey, Ukraine, United States...

  4. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/

    I understand the intention here, but the problem is that many attacks we want to guard against are highly distributed, and they are distributed across a wide range of IPs. Many, if not most, of these IPs originate from the US, Europe, and Canada.

    There may be some C&C nodes operating out of Russia or China or Estonia, but the work is being done by zombies, and the last time I looked most of those zombies were in the US.

    This is aside from the tricky aspects of GeoIP, which is dodgy at best.

    Comments
    1. By Anonymous Coward (78.192.104.249) on

      > This is aside from the tricky aspects of GeoIP, which is dodgy at best. Personally, I find that if one were to block batches of IP addresses, rather than doing it on a patchy, unreliable, & subject-to-change geolocation database, it would be best to use the known spam blacklists which are a good indication of compromised hosts (i.e. botnets). Many of these are available as a BGP feed so that you can dump the routing data right into a PF table in real-time.

  5. By Anonymous Coward (2a02:180:1:1::517:aaf) on

    Dear undeadly.org editors,
    Would you be able to block Norway on your firewall, please?

    Comments
    1. By phessler (phessler) on why in god's name am I wearing pants?

      > Dear undeadly.org editors,
      > Would you be able to block Norway on your firewall, please?
      >
      >

      No. We will not block any countries from posting to Undeadly.

  6. By Charles C. Hocker (charles05663) charles@drbs.com on

    How about away to block IP based upon organization? Like the NSA, FBI, CIA, MI7, etc?

    Comments
    1. By phessler (phessler) on why in god's name am I wearing pants?

      > How about away to block IP based upon organization? Like the NSA, FBI, CIA, MI7, etc?

      https://neocities.org/blog/the-fcc-is-now-rate-limited

  7. By Anonymous Coward (50.137.208.84) on

    To complete this project and import the blocked_zones from /etc/pf-files--as written above-- you'll need to use information from (http://www.openbsd.org/faq/pf/tables.html) and replicate tables. You'll need to add these lines:

    table <blockedzones> persist file "/etc/pf-files/blocked_zones"
    block quick from <blockedzones> to any

  8. By Anonymous Coward (95.215.0.158) arkhipax@gmail.com on

    Hm. Technically, this article is fine. It is very convenient to use some patterns in work. Sense of a script in loading of third-party black lists on pf that is quite convenient. But practically, many people will simply copy and insert elements of this code. Now on the Internet there are many services on fight against spammers, etc. However you shouldn't forget that blocking the whole ranges which got to the list because of the complaint to couple (at most ten) hosts, you block hundreds and thousands users, for example from among quite vanilla home users. If you use black lists, be verified with leaders who work on incidents round the clock, thoroughly sorting each case, for example spamhaus. We will take, for example, our network - http://www.spamhaus.org/sbl/listings/pinspb.ru. Now we will glance in the ipdeny.com list: first 188.143.128.0/17, and the second 95.215.0.0. Thus the first network consists almost completely of unsophisticated ISP users who at all have no relation to a piece/24 which belongs to the ordinary hoster, "killing" hosts of the clients for complaints within 24 hours.
    (excuse me for my English)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]