{"id":21437820,"url":"https://github.com/mkorthof/ipset-country","last_synced_at":"2025-08-22T01:22:23.825Z","repository":{"id":43496835,"uuid":"213034479","full_name":"mkorthof/ipset-country","owner":"mkorthof","description":"Block countries using iptables + ipset + ipdeny.com","archived":false,"fork":false,"pushed_at":"2025-07-29T20:15:58.000Z","size":96,"stargazers_count":84,"open_issues_count":1,"forks_count":27,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-08-15T20:48:34.311Z","etag":null,"topics":["blacklist","country","countrycodes","debian","firewalld","ipdeny","ipset","iptables","linux","nft","nftables","redhat","shell-script","suse","whitelist"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mkorthof.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-05T16:40:24.000Z","updated_at":"2025-08-06T09:40:38.000Z","dependencies_parsed_at":"2022-08-24T02:50:38.497Z","dependency_job_id":null,"html_url":"https://github.com/mkorthof/ipset-country","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mkorthof/ipset-country","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorthof%2Fipset-country","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorthof%2Fipset-country/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorthof%2Fipset-country/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorthof%2Fipset-country/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mkorthof","download_url":"https://codeload.github.com/mkorthof/ipset-country/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorthof%2Fipset-country/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271570905,"owners_count":24782766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blacklist","country","countrycodes","debian","firewalld","ipdeny","ipset","iptables","linux","nft","nftables","redhat","shell-script","suse","whitelist"],"created_at":"2024-11-23T00:29:28.774Z","updated_at":"2025-08-22T01:22:23.818Z","avatar_url":"https://github.com/mkorthof.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ipset-country\n\n Block or allow countries using iptables, ipset and ipdeny.com\n\n- [x] Supports RH and Debian with iptables, nftables and firewalld\n- [x] Also works with ipverse.com and other block list providers\n- [x] Both ipv4 and ipv6 are supported\n\n## Installation\n\nSetup firewall first if you have not done so yet, **at least an input chain** is needed.\n\nThen run this script manually and if all is well, add to cron (e.g. /etc/cron.daily) or systemd service.\n\nTo automatically setup a daily systemd [timer](https://www.freedesktop.org/software/systemd/man/latest/systemd.timer.html), run `ipset-country -i`.\n\nTo uninstall, run: `ipset-country -u`.\n\nOr to run script on boot, add it to rc (e.g. '/etc/rc.local').\n\n\u003e Running this script will add rules to your firewall. Make sure you do not lock yourself out in case of issues on a remote system.\n\n## Configuration\n\nNote that **all options** and settings are explained **in the script itself**, see [ipset-country](ipset-country)\n\nOptionally, you can use a separate config file located in the same directory as the script. To specify a custom location use `ipset-country -c /path/to/conf` (like \"/etc/ipset-country.conf\" or \"/usr/local/etc/ipset-country.conf\".)\n\nThe config file will overwrite any options set in script. To create a new conf file, run:\n\n``` bash\nsed -n '/# CONFIGURATION:/,/# END OF CONFIG/p' ipset-country \u003e ipset-country.conf\n```\n\n### Distro\n\nIf needed, change OS using `DISTRO` setting. Default is \"auto\", which should usually work OK.\n\nOptions are:\n- \"auto\", \"debian\" or \"redhat\"\n- \"manual\"\n  - `confdir=\"/etc/iptables\"` (example)\n  - `rulesfile=\"${confdir}/myrules\"` (example)\n\n### Countries\n\nSpecify countries to block as `\"ISOCODE,Name\"` (same as ipdeny.com), multiple entries should be separated by semicolon `;`\n\nExample:\n`COUNTRY=\"CN,China; US,United States; RU,Russia\"`\n\n### Logs\n\nIn case of issues check the log file '/var/log/ipset-country.log'.\n\nTo change log file location, set: `LOG=\"/path/to/log\"`\n\nDisable all logging: `LOG=\"/dev/null 2\u003e\u00261\"`\n\nOr, log to screen only: `LOG=\"/dev/stdout\"`\n\n## Firewalls and options\n\nSet option `FIREWALL` to: \"iptables\", \"ntftables\" or \"firewalld\"\n\nDefault is \"iptables\"\n\nTo block specified Countries, set `MODE` to target \"reject\" or \"drop\"  (blacklist).\n\nTo allow specified Countries and block all others, set `MODE` to \"accept\" (whitelist).\nDefault is \"reject\".\n\n### Iptables\n\nThe script will add iptables chains, rules and sets (needs `ipset`).\n\nChange `DENY_RULENUM` to \"1\" to insert 'deny' rule at beginning of existing rules.\n\nOr, set a specific rule number (see `iptables --numeric -L INPUT --line-numbers`)\n\nDefault is 0 (add at end).\n\n### NFTables\n\nUses nft with native sets. Needs at least a table and \"input\" chain already setup.\n\nMinimal ipv4 example:\n\n```\nnft add table ip filter\nnft add chain ip filter input \\{ type filter hook input priority 0\\; \\}\n```\n\n```\ntable ip filter {\n    chain input {\n      type filter hook input priority filter; policy accept;\n      # ...\n    }\n  }\n```\n\nTo use optional location specifier of an existing rule set `NFT_RULE_LOC`. Default is empty/unset (`\"\"`), which appends.\n\nExample: `NFT_RULE_LOC=\"handle 3\"` or `NFT_RULE_LOC=\"index 5\"`\n\nSee `nft --handle list ruleset` or `man nft` for more details.\n\n### FirewallD:\n\nFirewallD does not support `LOGIPS=1` or `MODE='reject\"`\n\nSet `MODE` to \"drop\" or \"accept\":\n\n - if mode is \"accept\", ipset will be added to \"drop zone\" as allowed (whitelist)\n - if mode is \"drop\", ipset will added to \"public zone\" as denied (blacklist)\n\n\u003e  There are issues with firewalld and nft on CentOS/RHEL 8 which can cause your firewall to break resulting in being locked out. Adding large ipsets apparently can take a VERY long time.\nTo abort, you need remote console access and run: `pkill firewal-cmd; nft flush ruleset`\n\n### UFW\n\n\u003e Unsupported frontend. Apparently it is possible to run both iptables and ufw and mix rules. Enable with `UFW=1` (untested).\n\n## Block list providers\n\nSet URLs for ipv4 and/or ipv6 block files, you probably do not have to change these.  \n\nBy default [ipdeny.com](https://ipdeny.com) is used\n\n```\nIPBLOCK_URL_V4=\"http://www.ipdeny.com/ipblocks/data/aggregated\"\nIPBLOCK_URL_V6=\"http://www.ipdeny.com/ipv6/ipaddresses/blocks\"\n```\n\nTo change to [ipverse](https://github.com/ipverse/rir-ip), set:\n\n```\nIPBLOCK_URL=\"https://raw.githubusercontent.com/ipverse/rir-ip/master/country\"\n```\n\nAdd argument `-f` to load unchanged zonefiles instead of skipping\n\nFor more details see inside script.\n\n## Commands\n\nUseful commands to check and clear blocked ips\n\n### ipset\n\n- `ipset list`\n- `ipset test setname \u003cip\u003e`\n- `ipset flush`\n- `ipset destroy`\n\n### nft\n\n- `nft --handle list ruleset`\n- `nft list table ip filter`\n- `nft list sets`\n- `nft list set ip filter \u003cproto\u003e-\u003ccountry\u003e`  (e.g. 'ipv4-china')\n- `nft list chain ip filter input`\n- `nft flush set ip filter \u003cproto\u003e-\u003ccountry\u003e`\n- `nft delete set ip filter \u003cproto\u003e-\u003ccountry\u003e`\n\n## Changes\n\n- [20250729] add suport for nftables\n- [20250721] add option to inject rejct rule on specific rulenum (pr #22 by miathedev)\n- [20220227] fixed iptables-legacy paths (pr #16 by mainboarder)\n- [20201212] added config file option, systemd install (pr #14 by srulikuk)\n- [20201108] added flush option, fix restore=0 (pr #13 by srulikuk)\n- [20200927] fixed restore + logips bug (pr #10 by G4bbix)\n- [20200605] added Blacklist/Whitelist mode (#3)\n- [20200129] added option to DROP instead of REJECT (#1)\n- [20191116] added ipverse support, md5check option\n- [20190905] tested on debian 10 and centos 7\n- [20190905] blocking multiple countries should work\n- [20190905] it will check if INPUT chain exists in iptables\n- [20190905] cleaned it up a bit\n- [20190905] using firewalld is also supported now\n\n## Alternatives\n\nAlso available: [github.com/tokiclover/dotfiles/blob/master/bin/ips.bash](https://github.com/tokiclover/dotfiles/blob/master/bin/ips.bash)\n\n\n---\n\n_This used to be a [Gist](https://gist.github.com/mkorthof/3033ff64c4a5b4bd31336d422104d543) but was moved here instead_\n_Please do not add Gist comments, but create an issue [here](https://github.com/mkorthof/ipset-country/issues)_\n\n---","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkorthof%2Fipset-country","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmkorthof%2Fipset-country","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkorthof%2Fipset-country/lists"}