Blocking Netranges Based on IP-to-Country CSV

Gary & Mic McFall nutbrownhares at tds.net
Thu Sep 16 01:41:41 CEST 2004


Due to a number of issues, my organization is reviewing the ability to
block certain country domains at the firewall.  To be proactive, we want
to automate that process via iptables & the CSV available at
<http://ip-to-country.webhosting.info>.

We have created a C program (IPCheck) in the /bin directory which, when
given an IP long number, checks the ip-to-country CSV and returns a
value for permit or not.  We want to process the packet based on that
return.  

I'm a relative newbie with iptables & scripts.  Listed below is some
very crude code, some of which is a verbal description of intent.  Any
suggestions on how to shore this up so that it will work?  Or should
this concept be a new module in iptables?

#
#    ***** DROP BAD IPS *****
#
/bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`
if return = "Bad IP"
$IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

      ***** RULES - DROP  BAD IPS *****
#    ***** REVIEW LOG AT /var/log/iptables.log *****
#
$IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j
DROP

Thanks in advance for your help.

Gary McFall


More information about the netfilter mailing list