ScaleScaleScaleScale

Tips / Nginx


How to Block a Country using CSF Firewall on Linux

One of the best Linux firewall I’ve ever used is ConfigServer Firewall (aka CSF), it is developed by configserver.com. CSF it is not just a simple iptables firewall, it is a complete security suit that can turn your server into a robust firewall and intrusion detection system (IDS). In this tutorial we will take a look on how to block an entire country using csf firewall.

One of the most exciting options this firewall has is the hability to block entire countries. Let’s take a look what the firewall documentation says:

###############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

So, in order to block a specific country, you just need to add the country code into CC_DENY variable, so, for example, if you want to block all traffic from China (one of the most top attacker countries in the world) you should set:

CC_DENY = "CN"

If you want to deny multiple countries, just add the additional country code comma separated, example:

CC_DENY = "CN,US"

In this case, you are blocking all traffic from China and United States.

Once you have done the proper changes, restart csf firewall and lfd using:

csf -r && service lfd restart

This country blocking option should be used with careful because:

  1. You can ban legitimate traffic from your customers to the blocked country.
  2. You can block search engine bots (GoogleBot) from different Datacenters around the world.
  3. If your servers doesn’t have enought resources and a good network connection, it can take several minutes to load all the blocked ranges.

Enjoy 😀

Popular search terms:

  • nginx block country ip centos 2016
  • csf country block not working
  • Specify the the two-letter ISO Country Code(s) The iptables rules are for incoming connections only
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking

  • Zabidin

    Country block not working 99%. It’s almost 90% only. Some of the IP need to block manually.

    • Esteban Borges

      Depends on the country I guess, with China and other large network countries it may be 90%. I’ve tested this with a few countries from Europe, Asia and Africa and works really great.

    • Depends on the country I guess, with China and other large network countries it may be 90%. I’ve tested this with a few countries from Europe, Asia and Africa and works really great.

  • Moviehdmax

    Thanks for introducing the nice tool.