> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/compute/guides-for-server-management/block-entire-countries-in-the-firewall.md). # Block entire countries in the firewall *** Sometimes it’s very useful to block an entire country in the firewall, for example, if you notice that a DDoS attack mainly appears to originate from a country such as China. In Linux, it is very easy to block an entire country. This is possible because [http://ipdeny.com](http://ipdeny.com/) provides sufficiently good lists of which IP addresses belong to each region of the world. It’s worth noting that the lists are not 100 % accurate, so you may end up blocking more—or less—than you intended. If you want to see which countries are available, you can check [here](http://www.ipdeny.com/ipblocks/data/countries/) for IPv4 and [here](http://www.ipdeny.com/ipv6/ipaddresses/aggregated/) for IPv6. There are a few different firewall tools, depending on which Linux distribution (and version) you use. Here, we cover iptables, nftables, and UFW. {% tabs %} {% tab title="iptables" %} {% code title="Command" %} ``` for i in `curl http://www.ipdeny.com/ipblocks/data/countries/cn.zone |awk {'print $1'}` ; do iptables -I INPUT -s $i -j DROP ; done ``` {% endcode %} The same loop for IPv6 would look like this: {% code title="Command" %} ``` for i in `curl http://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone |awk {'print $1'}` ; do ip6tables -I INPUT -s $i -j DROP ; done ``` {% endcode %} {% endtab %} {% tab title="nftables" %} {% code title="Command" %} ``` for i in `curl http://www.ipdeny.com/ipblocks/data/countries/cn.zone | awk {'print $1'}` ; do nft add rule inet filter input ip saddr $i reject ; done ``` {% endcode %} And for IPv6 addresses, the command would look like this: {% code title="Command" %} ``` for i in `curl http://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone | awk {'print $1'}` ; do nft add rule inet filter input ip6 saddr $i reject ; done ``` {% endcode %} {% endtab %} {% tab title="UFW" %} Note that UFW isn't as fast as nftables or iptables, so it can take quite some time to block a long list of IP addresses. {% code title="Command" %} ``` for i in `curl http://www.ipdeny.com/ipblocks/data/countries/cn.zone | awk {'print $1'}` ; do ufw deny from $i to any ; done ``` {% endcode %} And for IPv6 addresses, the command will be: ``` for i in `curl http://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone | awk {'print $1'}` ; do ufw deny from $i to any ; done ``` {% endtab %} {% endtabs %} For more information about the different firewall tools, see: * [Set up a firewall on Debian 9 using iptables](/products/compute/guides-for-server-management/set-up-a-firewall-on-debian-9-using-iptables.md) * [Set up a firewall on Debian 11 using nftables](/products/compute/guides-for-server-management/set-up-a-firewall-on-debian-11-or-newer-using-nftables.md) * [Set up a firewall on Ubuntu 22.04 using UFW](/products/compute/guides-for-server-management/set-up-a-firewall-on-ubuntu-22.04-or-newer-using-ufw.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.glesys.com/products/compute/guides-for-server-management/block-entire-countries-in-the-firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.