This generates all the IP ranges you need to block to certain countries. I use it to block HongKong to my servers as they send the most spam (:

1. go to http://blacklist.linuxadmin.org

2. Select the country you want to block

3. Select the port you want to block

4. Copy and paste into SSH

5. Watch them get blocked :D

I would like to know if it can slow your vps to have a big iptables db ?

For example, if we block the port 25 for all of these countries... that will make a very big list, will it cause a lot of ressource usage or slow the vps ?

That is indeed a big list, and have the same concerns as Fred.
Can you not just block a whole country with one entry somewhere?
I thought some Web sites are setup this way to deny certain countries from viewing their content?

- Vince

i don't think blocking a country is possible ...
You could block .uk to block uk servers that has a .uk extension... but what about servers in uk that have a .com, .net, .whatever ... and i'm not even sure iptable is able to resolve before his actions...

I think the only way we have to block a country is to block all the IP ranges... and keep the list updated... ( by probably a cron job every month or even week ? )

What about "Geo-Targetting ".
http://www.ip-to-country.com

- V

You can integrate that into your scripts but you would need use a paided database to keep it updated with IP range changes. We tried one of those databases but it didnt work well for us so we just took it out all together.

i think i'll try with two or three countries ... china, hongkong... at least...

In my opinion that's a seriously bad idea. Apart from being discriminating and a bad business practice which your clients would not appreciate (unless you have a personal site), it's also completely useless as I would think it's trivial to go past the filter using a simple (or complex) anon proxy.

it's trivial to go past the filter using a simple (or complex) anon proxy.Ditto.....

I take it you are blocking the IPs due to spam? I've always thought that what I wanted was to simply block based on character encoding (of the email). If I block "big-5" (one of the two Chinese encoding systems), my life would be much better. ;)

Anyone do this?