How To Block Traffic by Country using IPtables

http://www.linuxstall.com/block-country-iptables/

http://www.ipdeny.com/ipblocks/

http://www.ipdeny.com/ipblocks/data/countries/

#!/bin/bash

# country codes
ISO="cn it kr br ru tw af sa iq sy tr ua in jp id at ro pl bg vn hk ve th mx co ar ir cz ph eg pk"
 
# set path
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
$IPT-save -c > /home/iptables/iptables_bak_$(/bin/date +\%Y\%m\%d\%H\%M\%S).txt

SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# clean old rules
cleanOldRules
 
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# whitelist
$IPT -A INPUT -i eth0 -s 99.223.1.0/24 -j ACCEPT
$IPT -A OUTPUT -o eth0 -d 99.223.1.0/24 -j ACCEPT

$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -d 127.0.0.0/8 -j REJECT
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do
	# local zone file
	tDB=$ZONEROOT/$c.zone
 
	# get fresh zone file
	$WGET -O $tDB $DLROOT/$c.zone
 
	# country specific log message
	SPAMDROPMSG="$c Country Drop"
 
	# get
	BADIPS=$(egrep -v "^#|^$" $tDB)
	for ipblock in $BADIPS
	do
	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
done
 
# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

exit 0