November 19

Linux: Blacklist a country using Firewalld

Create the blacklist:

firewall-cmd –permanent –new-ipset=blacklist –type=hash:net –option=family=inet –option=hashsize=4096 –option=maxelem=200000

  • –permanent = use to make changes to the permanent configuration –new-ipset = name of the new IP/net blacklist –type = storage hash type, “net” is for subnets, while “ip” for individual ip addresses –option=family = IPv4 or IPv6 network, inet is for IPv4 –option=hashsize = the initial hash size of the list –option=maxelem = max number of elements

Download net blocks:

tar -vxzf all-zones.tar.gz

Choose which countries you would like to block, provides net blocks by country. The above command will download all country zones together in one archive. Once extracted you should end up with various files, each named after a country, for example “” for China. I can’t tell you what to block, it all depends on what kind of service you provide and the location of your “real” requests. Personally, I run many major European sites and based on my logs, I block the following countries: ar bd bg br by cn co il in ir kp ly mn mu pa sd tw ua ro ru ve vn

After block the above countries, SPAM and hacking attempts dropped to nearly zero. Pretty much anything else comes via a European or American proxy, but that is easy to mitigate, once I file an abuse report to their network provider, the proxy is usually shut down rather quickly. While orchestrated and methodical hacks won’t be mitigated by a simple country block list, everything else will be blocked, especially spam.

Populate the blacklist:

firewall-cmd –permanent –ipset=blacklist –add-entries-from-file=./

The above command will load a country zone file to our blacklist. Make sure to change the path and filename to your chosen country zone file. You may also add individual IP addresses or net blocks by yourself, from the shell or by using a tool like fail2ban, with the following simple shell script (for example, save it as ~/bin/ban):

firewall-cmd –permanent –ipset=blacklist –add-entry=$1
firewall-cmd –ipset=blacklist –add-entry=$1

Run it like this:


Redirect the blacklist to the drop zone

firewall-cmd –permanent –zone=drop –add-source=ipset:blacklist
firewall-cmd –reload

Copyright 2021. All rights reserved.

Posted November 19, 2021 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B