How To Block All Traffic From China Using iptables and ipset on Amazon Linux
erics, October 24th, 2019
All credit to Matt Wilcox for this excellent article, for which this post is based – thank you, Matt! https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/ All commands run as root!
1 2 3 4 |
yum install -y ipset vi blockchina (see below for contents) chmod 755 blockchina ./blockchina |
Do this once only:
1 |
iptables -A INPUT -p tcp -m set --match-set china src -j DROP; service iptables save |
Then add blockchina to the root cron
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
#!/bin/sh # # blockchina # DIR=/etc # Create the ipset list ipset -N china hash:net # remove any old list that might exist from previous runs of this script rm $DIR/cn.zone # Pull the latest IP set for China wget -P $DIR http://www.ipdeny.com/ipblocks/data/countries/cn.zone # Add each IP address from the downloaded list into the ipset 'china' for i in $(cat $DIR/cn.zone ); do ipset -A china $i; done # Update iptables service iptables restart |