Blocking Netranges Based on IP-to-Country CSV
Hudson Delbert J Contr 61 CS/SCBN
Delbert.Hudson at LOSANGELES.AF.MIL
Thu Sep 16 18:33:03 CEST 2004
why do this ?
seems a bit nasty in nature.
we dont even do this sort of thing? see email addy...
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org]On Behalf Of McFall, Gary
Sent: Wednesday, September 15, 2004 5:58 AM
To: 'netfilter at lists.netfilter.org'
Subject: Blocking Netranges Based on IP-to-Country CSV
Due to a number of issues, my organization is looking at being able to block
certain country domains at the firewall. To be proactive, we want to
automate that process via iptables & the CSV available at
We have created a C program (IPCheck) in the /bin directory which, when
given an IP long number, checks the ip-to-country CSV and returns a value
for permit or not. We want to process the packet based on that return.
I'm a relative newbie with iptables & scripts. Listed below is some very
crude code, some of which is a verbal description of intent. Any
suggestions on how to shore this up so that it will work? Or should this
concept be a new module in iptables?
# ***** DROP BAD IPS *****
/bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`
if return = "Bad IP"
$IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS
***** RULES - DROP BAD IPS *****
# ***** REVIEW LOG AT /var/log/iptables.log *****
$IPT -A INBADIPS -j LOG --log-level debug --log-prefix "BADIP: " -j DROP
Thanks in advance for your help.
More information about the netfilter