Methods to ban whole countries on server level

I already expressed my opinion about country bans in a previous post, now let’s see some methods of how to achieve country bans.

With IPTables, using a bash script:

Remember that this will work only under Linux and with IPTables working correctly.
Instead of looking up every IP and block, we ask APNIC about a country’s allocated IPs.
The script is very simple, I won’t bother writing a new script as the web is full with it. The best I found is a Certified RedHat Engineer’s, Sebastien Wain’s, it’s clean and simple. Click here to read his post, then you can follow a link to the script from his post. It would be unfair to post the link to the script directly.
When you run the script, you will have to input the country code you want to block. A complete list of country codes can be found here: ISO 3166 Country Codes
The output of the script will be IPTables commands for each IP which you can use later in another bash to insert the IPs in the IPTables drop list, or if you have enough time to spare, you can copy-paste each command in the command line.

Using MaxMind GeoIP or GeoLite and Server Side Code

MaxMind provided its GeoIP database’s “Lite” version for free. The difference between the two databases is that the free version is less accurate, but still accurate enough to be very useful as its accuracy is still above 99%. So, download the MaxMind GEOLite database from MaxMind’s website and save it on your server somewhere. You should save in the include path, it will be easier to you and still safe from unauthorized access. It’s a huge dat file so it wouldn’t be fun if some hacker-kids would access it on 2000 queries per second rate.
Now that you have this database on your server, write a PHP or any other server level script which, before serves a page checks the user’s IP against this database. API’s are available to ease the developers’ life.

With .htaccess

There’s an awesome online tool which can create the .htaccess you have to place in the root of your script. The tool is called “block a country”, – on a side note, quite imaginative name,- and is situated under the www.blockacountry.com domain. You select the from the list the IPs you want to block then pressing “Go” will generate the lines you have to place in a .htaccess.
Easier method doesn’t exist, you either use that tool, or you put every IP in the htaccess manually.

Other methods

Doesn’t really exist i think. It’s possible to block access on router or firewall level, at least that’s what I was told, but I admit I never tried.

Please always think before you block a whole country. You can loose traffic from legitimate users, and traffic is precious for every webmaster. Or at least, it should be precious…