Web Hosting Info

Search:

featured partner

The IP to Country Database
  Forum Topics : Support / Blocking or allowing a specific country in iptables.
Submitted by nelg on Mon, 10/06/2003 - 06:04.
Hi,

This database appears to be mostly used for web applications to look up the country of a user, I am setting up an FTP server, and want to use IP tables to only allow connections from my country. It would be ideal if I could make IPtables query the database, based on the connection IP, and then allow or deny.

Anyone here know of any way to do what I want?
Thanks
Glen
» login or register to post comments | previous forum topic | next forum topic | 2019 reads
Comment viewing options:
Select your preferred way to display the comments and click 'Save settings' to submit your changes.
I dont know how to do exactly
Posted by strummer on Fri, 10/17/2003 - 09:53.
I dont know how to do exactly what you want and taking a look at freshmeat.net might be a good idea. I had a tentative look and could not find something specific. You might me able to do something with a project that monitors iptables logs and is able to call another process. Another idea might be to use a transparent proxy that stores its acls in a database. I think squid 2.5 can do this for http acls but not sure about ftp.

However, personally I dont think that it would be a good idea to dynamically and transparently block ip addresses and be in a situation where you just update the ip2country db. I think that there would just be too much to go wrong and really would put alot of reliance on the ip ranges being correct. There would of course be other issues such as possible DOS attacks (though technically addresses would be blocked anyway) and that your iptables will exponentially grow, so consuming more and more kernel memory.

A couple of ideas:
i) Ascertain what ip ranges you want to accept and deny everything else (which is probably the last rule anyhow), adding these ranges to your firewall script. This could probably be scripted and I think you could do this directly from the csv file.
ii) As I am sure you are aware ftp daemons have their own acls, maybe here would be a place to do something like above and leave it out of iptables completely.

Cheers, and if you find something or implement something I would be very interested to know how you went about it ;)
» login or register to post comments
 
What I did
Posted by nelg on Fri, 10/31/2003 - 04:32.
Hi,

What I ended up doing was getting all the IP address ranges for the country I wanted to allow and then scripting them into my IPtables start file. It now loads quite a large rule set, however, seems to handle it just fine.

I have also been looking at writing a kernel module that works as a firewall to filter by country.. Probally still will, as it works nicly with IP tables.. The downside of a kernel module is however, that it has to be right, or can affect stability. The other option I have been thinking of is actually writing a nice perl script that will help other users allow/deny countries for whaterver ports they wish in IP tables.

If you want more detials of what I've done, ICQ me. 30763645
» login or register to post comments
 
Ip addresses for countries
Posted by aliciap on Mon, 05/10/2004 - 18:53.
Hi,


CAN YOU TELL ME HOW YOU WENT ABOUT GETTING THE IP ADDRESSES FOR THE COUNTRIES. I TRIED SEVERL WEB SIYTE BUT HAVE NO BEEN SUCCESFULL
» login or register to post comments
 
I didn't understand ur comment??¡
Posted by jalanis on Tue, 05/11/2004 - 15:41.
aliciap, sorry i just did not understand ur comment... could u be more specific?

... jalanis
» login or register to post comments
 
Thanks for responding, Wha
Posted by aliciap on Tue, 05/11/2004 - 18:37.
Thanks for responding,

What i'm tyring to do is get ip addresses for certain countries to have them blocked. Is there a website or any other resource to gather this type of info.
» login or register to post comments
 
Yeah me too i'm tryin to g
Posted by matt76 on Sat, 11/27/2004 - 08:45.
yeah me too

i'm tryin to get the whole of CHINA blocked off

should it be simpler?

how ever i need to convert the dotted ips to normal ip.

any idea how to do it?
» login or register to post comments
 
You might want to check out t
Posted by Maurice Randall on Thu, 03/23/2006 - 22:03.
You might want to check out the message I left in another thread:

Block Entire Countries using ip-to-country.

The programs I wrote for doing this can be downloaded from my website at FixingTheWeb.com.

-Maurice

--------------------------
FixingTheWeb.com
» login or register to post comments
Country range to add to .htaccess
Posted by Dennis85032 on Sat, 10/08/2005 - 18:03.
I run a dating site, just for specific parts of the U.S. and want to block out all other countries. Could I not just obtain the dot block range for the U.S. and add that to my .htaccess file?

If so, where would I get the dot range for the U.S.

Thanks
Dennis
» login or register to post comments
 
This would make a very very l
Posted by D_A on Sat, 10/08/2005 - 19:39.
This would make a very very long list and .htaccess file.
Browsing the records in the database will give you an idea.
You can delete from the database all the countries except the United States and then compare your visitor's IP with the ranges in your database. If not in your database (or not in the US) send a 403 or any other header.
Relying on the IP is not a good idea : AOL users from anywhere will be located as in the US, some small countries (Asian Pacific) sell some blocks of IPs or forward US requests, some proxies, some ISPs, some large companies will use proxies located elsewhere...
» login or register to post comments
 
Thanks D_A, I have been ge
Posted by Dennis85032 on Sat, 10/08/2005 - 20:06.
Thanks D_A,

I have been getting bogus hits from Senegal 196.201.65.246
196.201.93.239 196.207.198.54 196.207.198.87 When I searched those numbers, they came up as unknown.

I still don't understand how to take the csv database and convert the numericals to the dot ip. Is there a discussion that has been posted that covers it for the Brain Dead??? :o(
» login or register to post comments
 
Most African IP blocks are un
Posted by D_A on Sun, 10/09/2005 - 07:47.
Most African IP blocks are unknown (AFRICNIC) as well as many Pacific ones.
For examples of code to get the country, convert numbers, have a look there :
http://ip-to-country.webhosting.info/node/view/118
You may also visit
http://d1.a.free.fr/en/how_to.php
http://d1.a.free.fr/en/ip-to-country.php
» login or register to post comments
 
Read On about Converting IP to IP Number and vice-versus
Posted by TheJohnDoe2005 on Mon, 10/10/2005 - 04:45.
"I still don't understand how to take the csv database and convert the numericals to the dot ip. Is there a discussion that has been posted that covers it for the Brain Dead??? :o( " Quoted from Dennis85032

Do you mean converting IP Numbers to IP Address, here is the extract from the website www.hackingspirits

For example, if IP address is "202.186.13.4", then its IP Number "3401190660" is based on the Formula 1.

IP Address = 202.186.13.4

So, w = 202, x = 186, y = 13 and z = 4

IP Number = 16777216*202 + 65536*186 + 256*13 + 4
= 3388997632 + 12189696 + 3328 + 4
= 3401190660

To reverse IP number to IP address,

w = int ( IP Number / 16777216 ) % 256
x = int ( IP Number / 65536 ) % 256
y = int ( IP Number / 256 ) % 256
z = int ( IP Number ) % 256

where % is the mod operator and int is return the integer part of the division.

Just convert the formula to a function and that should be it. If you want i could post a simple example using php on the conversion. But i don't think its necessary as this is very simple...

Hacking Spirits Article Link
» login or register to post comments
 
More Information about IP
Posted by TheJohnDoe2005 on Mon, 10/10/2005 - 04:52.
Trace who owns the IP address
Every computers hooked on to internet is assigned with an IP address. Individual users possess a dynamic IP address when they logged on to any ISP to access internet. These IP addresses are assigned by the ISP itself. Organization usually possess static/public IP address which is stored in a database of registries

There are three major registries covering different parts of the world. They are

www.arin.net => American Registry of Internet Numbers (ARIN) : It assigns IP addresses for the Americas and for sub Saharan Africa.

www.apnic.net => Asia Pacific Network Information Centre (APNIC) : It covers Asia

www.ripe.net => Réseaux IP Européens (RIPE NCC) : It covers Europe

Hope this information will help you understand better....
» login or register to post comments
Converting to Peer Guardian IP Blocker Format ??
Posted by chuckenheimer on Fri, 10/14/2005 - 05:25.
Might someone help this newbie navigate?

I haven't found yet how to reformat the IP list to that which will work with Peer Guardian IP blocking software. Is there something to help me do this?

Thanks!
» login or register to post comments
 
[re]Converting to Peer Guardian IP Blocker Format ??
Posted by carlop on Mon, 01/09/2006 - 09:18.
Hi, basically, you have two list formats in Peer Guardian : Binary or text. Of course using text format (for export or import) is more suitable for a human. This text format is really simple : 
aRangeDesc:addressRangeStart-addressRangeEnd

example : (inetnum range is fictive, use a real range) 
A range I wana block :66.125.100.0-66.125.100.255
you can set block or allow in Peer Guardian when importing a list. BTW If you want, by example to block a whole country using CVS file provided here. You can do (in windows cmd line mode) a : 
find /I "TheCountry" XXX.cvs > CountryF.txt
(Open the CVS file to have a correct expression filter) Then you can use excel to import (and not open) this .txt file and easily delete, (or add) column you (don't) want. Later use : 
whois "adress"
to find a proper description for a given addresses range.
In PeerGuardian, you can set aRangeDesc to, for example, undefined for a preliminary use. sorry for my english :)
» login or register to post comments
Country Ranges
Posted by McAfee on Mon, 01/09/2006 - 19:22.
The best way to remove or limit the service to a specific country, is by using the ip-to-country in pretty much the traditional way. And then using a comparison with the resulting country.

By traditional I mean: Using a server side script (like PHP, etc.). And then querying a database (like MySQL, etc.)

You could then, within that page, compare the CountryCode2 with a list of allowed or disallowed countries. This could be an array, or whatever is easier for you. That comparison will then filter the output as desired.

The advantage of this method is that you can quickly update the valid ranges by simply updating the database. You won't have to manually go over a list of rules. The disadvantage is that it requires server-side scripting, which sometimes is not available.

If you want to hardcode the ranges into your application, the following website will provide the list of ranges per country:

http://mcafee.servegame.com/download/country.php
» login or register to post comments