country to IP blocks converter

Reverse IP geolocation. This page lets you choose country or countries by ISO codes or the country names and produces a list of IP blocks with optional prefix and postfix text to create iptables blacklist or whitelist ruleset shell scripts that can be source'd into your firewall setup script. Try one of the options under examples to see how this works.

form notes

Query form to enter country names and automagically produce a list of IP block ranges for use with firewall filters, for linux iptables.

select country by iso code

For example, AU for Australia, case insensitive, must have a comma between each entry, bad entries will be removed by the server.

select country names from list

Select by country name when you don't have the country code, use the Ctrl key to make multiple selections, country names selected are added to the country codes entered on the line above, and duplicates will be removed by the server.

comment

This text will appear in the output file header, size is limited to one line of text.

IP range select

This is the iptables command to select the IP address range, you need to choose INPUT or FORWARD incoming chain, try the examples for an indication of acceptable format.

IP range target

What to do with traffic specified with the range, typically '-j target' where target may be DROP, REJECT, ACCEPT, or a logging target as described in the next section.

add iptables logging

Add logging to the list generated by this form with the use of a custom iptables chain to log then perform drop/reject/accept on traffic matching your country IP range list created above. Like this example:

output formatting

IP range select: iptables -A INPUT -m iprange --src-range

IP range target: -j log_okay

firewall rules

iptables -N log_okay
iptables -A log_okay -j LOG --log-level info --log-prefix "AI okay "
iptables -A log_okay -j ACCEPT
iptables -A INPUT -m iprange --src-range 204.14.248.0-204.14.255.255     -j log_okay
iptables -A INPUT -m iprange --src-range 208.66.48.0-208.66.55.255       -j log_okay

filter by country with iptables

cidr vs iprange

This tool merges contiguous CIDR blocks to form IP ranges, this greatly reduces the number of rules to filter a particular country. A summary of the merge process is given at the end of the output iprange list. How many lines may be saved by merging CIDRs? The summary given by this tool's output iprange list for 'AU' is:
# matched: 5906, merged: 4627, listed: 1279, 0.825% IPv4 space

using the iprange list

Download the output file, gunzip the thing and rename it to something meaningful to yourself then include the iprange list filename in your iptables setup shell script with the source command. This tool may also be used to create black/white lists for other firewalls, if they accept an iprange pair separated with a '–'. Please notify the author if option for a different character is required.

odd looking output filename?

The server may be delivering concurrent results to different clients, to prevent interaction the server creates a unique name for each output file. These files are automatically purged from the server when they are more than 48 hours old. The filename in the address bar is symlinked to the cc2ip.*.gz file, allowing transmission of compressed text to your browser. Some browsers (eg. Konquerer) may offer to open the text file in an editor for viewing.

for linux 2.4 users

You need netfilter patch-o-matic to get the iptables iprange feature.

data sources

Data is sourced from the afrinic, apnic, arin, iana, lacnic registries for IP block allocations and iso.org for the country names/codes. Note that cross-border allocations by registries do occur and thus the country information presented in the result page may contain apparent errors.

license

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Australia License.

Copyright (C) 2005-2009 Grant Coady <grant@bugsplatter.id.au> /cc2ip/