Blocking Countries in Linux – The EASY Way

For a while, I’ve been looking into a less CPU-intensive way to block entire countries from accessing my Linux game servers. While this can be done on the firewall/router level before the traffic could even get to the Linux host to begin with, this feature is a licensed one for the Watchguard firewall that I use, and I didn’t want to pay $200 a year just to get this single feature.

The first method I’d considered was to simply block all IP ranges that were registered to one of the countries in question. You can easily find several sites that offer the complete lists of IP blocks registered to other countries in an Internet search. Problem is, these blocks are hundreds (or in the case of China, thousands) of subnets long. Adding them into your firewall rules would practically gag your server, especially in the case of low-latency applications such as games and VoIP.

After doing some additional digging, a solution presented itself that allows a much lower processing overhead, but still allows you to completely block countries. Don’t do the blocking directly in your ipchains or pf configuration, do it in your hosts.deny file.

The way you do this is to not filter by IP address, but rather by Top Level Domain extension. In other words, use the Internet-abbreviated country code. Here’s an example of a hosts.deny file that’s blocking France, China, Russia, Ukraine, and several others:

ALL: .fr
ALL: .cn
ALL: .ru
ALL: .ua
ALL: .ar
ALL: .am
ALL: .by
ALL: .br
ALL: .kz
ALL: .md
ALL: .kr
ALL: .tr
ALL: .ua
ALL: .ve
ALL: .vn
ALL: .sg
ALL: .jp
ALL: .eu

This tells your server to do a reverse lookup on incoming connections and see which TLD is appended to the IP address they currently have. If a match is found against one of the TLDs listed, the connection is refused, regardless of TCP or UDP port number. The list can be configured to block specific services (such as SSH) instead of everything, but this was the fit that worked for me, since I have no business presence or customers from any of these countries.

This adds a couple dozen firewall rules, and the time it takes to do a reverse DNS lookup into your server access time, instead of going through thousands of IP subnet firewall rules. And since iptables and pf preserve open connection states outside of firewall rules, these firewall rules are only examined when the connection is initiated, resulting only in an additional 50-100ms latency response time on the initial request.

Is it 100% bulletproof? Nope. But it’s brought the number of hack attempts down for my servers exponentially. Most importantly, it means less time fighting off hackers, and more time working on that bottle of Balvenie Doublewood 12-year that’s been sitting on my shelf for a while.

Caleb Huggenberger is a 31 year-old systems engineer, old-school guitar and amplifier builder, and Eastern culture enthusiast. Outside of long work days, he enjoys electronics engineering, cast iron campfire cooking, and homesteading on his acreage in the Indiana countryside.

Leave A Comment (please keep things clean & civil)

Your email address will not be published. Required fields are marked *