Blocking Netranges Based on IP-to-Country CSV
cbrenton at chrisbrenton.org
Mon Sep 20 14:26:11 CEST 2004
On Mon, 2004-09-20 at 08:06, Thomas Lußnig wrote:
> - Extereme overload for IP-tables since it need extreme large table of
> ip lists
I beg to disagree. Most range blocking is done more on a region basis
rather than by individual country (i.e. permit countries in Europe but
maybe block Asia-Pacific). Given that IP ranges are delegated in large
blocks (class A and B being the norm), it actually takes very few rules.
For example I've had iptables firewalls pushing 400 Mb with region based
filtering in place. Worked like a champ.
> - Is extreme faulty since IP's are not original assinged to country but
> locations like Europe.
Agreed, so if you are trying to target a specific country, you may run
into problems in areas like Europe. Blocking by region is less of an
issue but you can still run into problems (like class A blocks in Asia
that are also used in Australia, etc.).
> - How you wan't to do the next step someone say i not wan't to select
> based on country bot wan't different web server
> for region's with different main language. ASIA -> UTF8/Chinese Europe
> Latin1/Frensh,German,English America => Spain/english
Actually, I'm pretty sure you could do this today with Squid. ;-)
Obviously a portion of this is "intent". If its to reduce risk, its one
thing. Banning based on color or creed is another. For example there are
Spanish people all over the world so banning based on the language
sounds like its more about discrimination rather than lowering risk.
More information about the netfilter