What is China's IP block area

Block china with iptables

I just logged into a GitLab server and found that 18,974 logins have failed since I last checked the server - almost 5 days. I checked the IPs and it appears almost all of them were from China and were trying to get access to SSH and brute force. I started blocking some IPs but then I realized that it was a tremendous waste of time and a better idea would be to block the whole country.

Is there a way to block ALL of China or any other country with iptables?

I found a few articles on the internet but almost all of them are bash scripts. I'm a newbie to Linux so I don't really understand all of these scripts. I find iptables really interesting and I want to know more about it.

Any ideas ? Many Thanks!


With the help of iptables, bad guys for ssh can be automatically identified with the help of the module and then blocked. The following segment must to On your generic line:

The most recent problem (over the past year or two) with China is that they have gotten very smart and very often, once they get blocked by one IP address, they just switch to another on the same subnet and keep going. This carries the risk that the default last table entries are no longer sufficient (I think the default value is 200). I monitor this and then look for the actual IP segment and permanently block the entire segment. In my case, I don't care about collateral damage, i.e. blocking someone who is innocent:

Where above:

Here you can get the entire list of IP addresses for China or any country in iptables or any other format. However, the list is surprisingly long and quite dynamic. I myself decided not to block the entire list.

China block with ipset

You can't manually add a few thousand IP addresses to your iptables, and even running it automatically is a bad idea as it can result in high CPU usage (or as I've read). Instead we can use ipset which is designed for this kind of thing. ipset processes large lists of IP addresses. You just make a list and tell iptables to use that list in a rule.

Note; I'm assuming the whole thing will be run as root. Adjust this accordingly if your system is based on sudo.

Next, I wrote a little bash script to do all the work that you should understand from the comments inside. Create a file:

Here's what you want to insert:

Save the file. Make it executable:

This hasn't done anything yet, but it will in a minute when we run the script. First we need to add a rule to iptables that references this new ipset list that defines the script above:

Add the following line:

Save the file. To be clear, my full iptables.firewall.rules now looks like this:

At the moment nothing has changed on the server as no new rules have been applied. To do this, run the script block-china.sh:

This should show output as a new list of Chinese IP addresses is being obtained. After a few seconds, the process will complete and you will be returned to a command prompt.

To test if it worked, do the following:

You should now see a new rule blocking China - the output should look like this:

Almost finished! This works and will continue to be used for reboots. However, the IP addresses change and this list will become obsolete over time. If you want to get an updated list of IPs and apply them, you can simply run the block-china.sh script again.

We can also set the machine to do this automatically via a cron job:

Add a line like this:

This will run /etc/block-china.sh every day at 5am. The user who runs the script must be root or have root privileges.


You may want to install something like fail2ban so it will block IPs that try to log into your server and fail.

You can use the Geoip module for iptables: https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/

Once our system is updated and dependencies are installed, let's now install the xtables addons on our computer. To do this, we download the latest tarball with wget from the official xtables-addons project page. Once it is downloaded we will extract the tarball, compile it and install it on our computer.

Next, we'll run a module called xt_geoip, which comes with the xtables-addons extension, which will download the GeoIP database from MaxMind and convert it to a binary form it recognizes. Once it is downloaded we will create it and move it to the desired path i.e. H.

Here is the basic syntax for using iptables with the geoip module to block traffic coming from or destined for a country. Here, instead of the country, we need to use a two-letter ISO3166 code e.g. B. USA for USA, IE for Ireland, IN for India, CN for China and so on.

They use the IP2Location Firewall List to generate iptables for China.

The file has the following format. Run it in the shell and you should be blocking all China IP addresses.

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from.

By continuing, you consent to our use of cookies and other tracking technologies and affirm you're at least 16 years old or have consent from a parent or guardian.

You can read details in our Cookie policy and Privacy policy.