General discussion


IP Blocking by Country?

By chuck.beach ·
We're thinking of adopting a strategy to IP whitelist or blacklist based on country. However, after reviewing the IP by country list, it appears it would not be so simple. Countries have multiple IP ranges.

Some questions:

A) Is there an easy way to block by country? (an appliance or service)
B) Anyone have a problem with too many firewall filters slow down a network?

thanks much

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Link for netblocks

by robo_dev In reply to IP Blocking by Country?

The above site allows you to grab the updates automatically with cron.

Unfortunately apnic, arin, and lacnic assign unallocated blocks to various countries, so it's a moving target and you need to update frequently (daily).

Assuming that you have a fairly normal router, I've never seen rule complexity cause a performance issue.

However, if you're using some soho netgear router, then that may be an issue.....

Collapse -

Country Blocker Network Security Appliance

by d_wulff In reply to IP Blocking by Country?

Creating so many iptables rules creates huge memory overhead loading all these rules as well as delay and cpu overhead while scanning all these rules for each new connection. I found an on-premise appliance that works w/ other firewalls and routers that allows for blanket country blocking but still granular control (i.e. allow specific IP addresses for a corporate office in China as an exception). Again, this would be for larger companies with a network admin, operating their own servers, in a network that can support an in-line appliance built to block IP addresses by country.

Related Discussions

Related Forums