I'm using IPSet to build IP ranges for different countries as follows :
# Canada
ipset -F ca.zone
ipset -N ca.zone nethash
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/ca.zone)
do ipset -A ca.zone $IP
echo $IP
done
I'm then blocking those countries from certain ports on my server with the following iptables rules :
iptables -A INPUT -m set --match-set fr.zone src -p tcp --dport 15765 -j DROP
iptables -A INPUT -m set --match-set cn.zone src -p tcp --dport 15765 -j DROP
iptables -A INPUT -m set --match-set ca.zone src -p tcp --dport 16247 -j DROP
iptables -A INPUT -m set --match-set de.zone src -p tcp --dport 16247 -j DROP
This all works well but I want to achieve the opposite of this for some of the ports by only allowing certain IPSet country ip ranges. For example block all IP's apart from those inside my uk.zone and th.zone sets.
What iptables rules would I need to achieve this ?
Best Answer
Reverse the presumption: allow through those that you want, then deny the rest:
(and similarly for port 16247, or try getting clever with
-m multiport
). Note that the order is important: the exceptions (ACCEPT
s) need to come before the rule (DROP
).