I have tried set the script on about a dozen machines, most work, but on a few I get this error
...
COMMIT
===== /sbin/iptables-restore =====
iptables-restore: line 42189 failed

Rules update failed: exit code 1 at line 0

This error seems a bit vague, is it known?
The line number varies between machines.

using ubuntu 18.04LTS
`:~# systemctl status BlockCountries.service
● BlockCountries.service - LSB: start and stop BlockCountries
Loaded: loaded (/etc/init.d/BlockCountries; generated)
Active: failed (Result: exit-code) since Tue 2019-07-23 18:45:16 BST; 2h 31min ago
Docs: man:systemd-sysv-generator(8)

Jul 23 18:45:02 mmg systemd[1]: Starting LSB: start and stop BlockCountries...
Jul 23 18:45:16 mmg BlockCountries[3980]: Can't return outside a subroutine at /etc/init.d/BlockCountries line 750.
Jul 23 18:45:16 mmg BlockCountries[3980]: /sbin/ip6tables: exit code 3
Jul 23 18:45:16 mmg systemd[1]: BlockCountries.service: Control process exited, code=exited status=3
Jul 23 18:45:16 mmg systemd[1]: BlockCountries.service: Failed with result 'exit-code'.
Jul 23 18:45:16 mmg systemd[1]: Failed to start LSB: start and stop BlockCountries.`

./BlockCountries start -update
Starting blocked countries IP filter:
No new IP data available from lacnic
No new IP data available from afrinic
No new IP data available from apnic
Unable to fetch IP zone data from arin: 404 - File 'delegated-arin-extended-latest' not found

• Attempted: ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
  No new IP data available from ripe
  Can't open /root/blockips/arin.rdb: No such file or directo[ FAILED ]

I'm having a problem where countries which should be blocked are not, and countries tthat are not blocked are being blocked. I took a look at the other thread, so I'll post my findings here:
Syntax: ./etc/init.d/BlockCountries start -update -permitonly

Results from running BlockCountries status -v:

Blocked countries IPV4(Input) & IPV6(Input) filter is running and configured to block:
 ar - Argentina
 at - Austria
 au - Australia
 aw - Aruba
 be - Belgium
 bg - Bulgaria
 bm - Bermuda
 bo - Bolivia (Plurinational State of)
 br - Brazil
 bs - Bahamas
 ca - Canada
 ch - Switzerland
 cl - Chile
 co - Colombia
 cr - Costa Rica
 cu - Cuba
 cz - Czech Republic
 de - Germany
 dk - Denmark
 fi - Finland
 fr - France
 gb - United Kingdom of Great Britain and Northern Ireland
 gl - Greenland
 hn - Honduras
 ie - Ireland
 is - Iceland
 it - Italy
 jm - Jamaica
 mx - Mexico
 nz - New Zealand
 pe - Peru
 pr - Puerto Rico
 us - United States of America
 vg - Virgin Islands (British)
 vi - Virgin Islands (U.S.)

This is a bit concerning since I've set it to only permit these countries. I'm assuming this is just a typo in the programming, and it doesn't affect functionality. As you will see, it does block the majority of IPs correctly:

Intercepts by host IP:
??: 14.192.203.159 udp-7747(1)
??: 37.139.9.72 icmp-8(1)
??: 37.235.52.10 icmp-8(6)
??: 37.235.55.22 icmp-8(3)
??: 43.254.144.130 icmp-8(1)
??: 46.108.39.10 icmp-8(3)
??: 46.108.39.44 icmp-8(4)
??: 46.246.93.113 icmp-8(4)
??: 58.140.209.54 tcp-23(1)
??: 60.190.227.93 tcp-3389(1)
??: 61.63.13.93 tcp-445(3)
??: 77.211.39.188 tcp-445(2)
??: 80.82.78.8 tcp-5902(1)
??: 80.82.79.39 tcp-22(1)
??: 80.92.66.63 icmp-8(10)
??: 81.4.125.158 icmp-8(1)
??: 81.214.191.86 udp-53413(3)
??: 88.82.108.108 icmp-8(1)
??: 93.174.93.181 udp-53413(2)
??: 94.102.48.195 tcp-993(1)
??: 95.142.107.181 icmp-8(1)
??: 103.231.41.78 icmp-8(1)
??: 103.250.185.220 icmp-8(1)
??: 110.50.243.6 icmp-8(1)
??: 115.69.210.216 tcp-445(2)
??: 117.121.240.36 icmp-8(6)
??: 117.131.214.53 icmp-8(1)
??: 117.212.97.171 tcp-445(2)
??: 118.97.184.196 tcp-445(2)
??: 119.199.119.27 udp-53413(2)
??: 119.235.248.9 icmp-8(1)
??: 122.95.45.122 tcp-23(1)
??: 123.201.143.186 tcp-445(2)
??: 124.248.221.28 icmp-8(1)
??: 125.212.217.85 tcp-445(2)
??: 150.70.173.43 tcp-80(1)
??: 150.70.188.167 tcp-80(3)
??: 150.70.188.171 tcp-80(3)
??: 158.255.208.31 icmp-8(4)
??: 178.187.51.37 tcp-23(1)
??: 183.238.2.246 tcp-445(1)
??: 185.65.204.169 icmp-8(4)
??: 185.94.111.1 udp-111(1) udp-520(1)
??: 188.42.136.164 tcp-22(1)
??: 192.165.67.112 icmp-8(1)
??: 192.228.135.199 tcp-23(1)
??: 194.63.140.74 tcp-22(2)
??: 194.135.92.226 icmp-8(1)
??: 195.211.154.180 tcp-21320(1)
??: 195.248.226.250 icmp-8(3)
??: 210.212.98.235 tcp-3306(1)
??: 212.7.218.71 icmp-8(1)
??: 213.8.103.187 icmp-8(1)
??: 213.183.56.111 icmp-8(4)
??: 218.77.79.38 tcp-110(1) tcp-82(1)
??: 220.132.69.115 udp-53413(2)
Intercepts by country:
       116 ??

I can't seem to find it now, but earlier I saw an Italian server from Milan added to the banlist. Conversely, a server from Signapore was not banned.

I'm led to believe this is not your fault, since it appears the program is working, it just uses incorrect IP address blocks. Could you tell me how to correct this?

Also, I can still ping these addresses. Does it only block incomming traffic? Is that what the blockout param is for? Kind of makes sense

Thanks for a wonderful script!

hi,

when checking the iptables -L i see this in the output:

LOG all -- anywhere anywhere limit: avg 1/min burst 10 LOG level warning prefix "[Blocked CC]: "

hi,

so glad to see this project to alive an active, and my question is regards to the logs files.
your script is set as var/log/messages* but I changed mine to use var/log/BlockCountries/BlockCountries*

but their is not data yet, is that ok? would I also need to create the file itself in the location? for example BlockCountries.log?
And also what permissions control should the folder have, is root:root ok?

thanks

Hey there.

Thanks for this project, it's a great help and has reduced malicious traffic for us.

Would it be possible to do the inverse, namely whitelist one ore more country/countries and block everything else?

Thanks,
Martin

The code for recent releases was visible, but the tags weren't.

Fixed. Latest Release is V2.6.

hi im using ubuntu 12.04, please output example paths etc. you used for setup and state your OS.
$CFGFILE - This is where the configuration file lives

$ZONEDIR - This is where the files that define IP assignments live. It should
be a dedicated directory, must exist and must be writable by the
cron job.
$LOG - The syslog file containing iptables log entries. Wildcard if
logrotation occurs.

$LOGPFX - The prefix to be written by IPtables when logging a rejection.
$LOGPGM - The program to be credited with writing the log entry

thanks

I tried to run BlockCountries in a debian 7 server.

Starting blocked countries IP filter:
Updated IP zone data from apnic
Updated IP zone data from lacnic
Updated IP zone data from afrinic
Updated IP zone data from ripe
Updated IP zone data from ariniptables-restore: line 11365 failed
Rules update failed: exit code 1 at line 0
[FAILED]

Not sure if i done something wrong.

Thanks.

hi
I am using this script on two ubuntu systems with no issue, but i install it on contos, and all is working even the list but i do get this error:

~]# /etc/init.d/BlockCountries start -update
Starting blocked countries IP filter:
No new IP data available from apnic
No new IP data available from lacnic
No new IP data available from afrinic
Updated IP zone data from ripe
No new IP data available from arin ip6tables-restore v1.3.5: ip6tables-restore: unable to initializetable 'filter'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Your script is wonderful and has saved my VPS from countless hackers etc.

However for some reason IP's from the country code ua (Ukraine) are not being stopped

I have added ua to the conifg file the same as any other country I am blocking and run and have updated the iptables using BlockCountries start -update

Any idea's? My config file is below

Configuration for BlockCountries service

Countries

This lists both ISO code and name for documentation (and as insurance against changes in the name)

However, either would do.

ru
ch
in
pk
ir
br
de
fr
jp
pl
lt
ua
tr
kr
ca
ph

Allow https and inbound mail, which requires DNS

-atport https -atport smtp -atport submission -atport smtps -atport domain
-auport domain

Enable logging

-log

regards - glen

I use a small script for updating your BlockCountries, may it would be possible to include this into Blockcountries, or if you like add it to your Repo.

https://gist.github.com/wikrie/433b13be91c6a31391ee163c14a90295

br wikrie

Hi tlhackque,

as far as I can see the current logging goes to:

root@server:~# colortail -f /var/log/messages
==> /var/log/messages <==
Jan 22 11:29:06 server kernel: [3151900.967133] [Blocked CC]: IN=venet0 OUT= MAC= SRC=58.140.209.21 DST=0.0.0.0 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=23949 DF PROTO=TCP SPT=37383 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

would it be possible to setup a own Logfile into var/log

e.g.
/var/log/blocking.log

so it would be needed to create a new entry for the config file to setup this logging.

I try to modify the Script by changing the $Log

my $LOG = '/var/log/messages*'; # Note: This is a wildcard to handle log rotation. .gz files will decompressed on the fly and processed.

my $LOG = '/var/log/blocking*';

but it still write the Blockings into messages, after restarting the script.

I have been using BlockCountries for a while and have just tried to update to 2.21

when i try to load the default config, i get the following error.

root@NS12:~/BlockCountries-2.21-Release# /etc/init.d/BlockCountries -start -update
Unrecognized country/country code: use
root@NS12:~/BlockCountries-2.21-Release# 

This is the ISO part of the config, but its the default in the conf that came with the download.

# List of country codes blocked by default - specify yours in the config file

my @DEFAULT_ISO = qw /cn kr kp kz ru/;

hi,
I have a second dns server that mirrors the primary server which has the blockcountries script installed on it.
What i would like to know is if i need your script installed on the secondary server or not?

when dose your script get active, before or after the requests are sent to the dns?

thanks

hi im using ubuntu 18.04.

I getting this error: Use of uninitialized value $ARGV[2] in split at - line 6.

av00va writes:

I found out that your script isn't loading automatically at startup. It is listed in chkconfig

BlockCountries 0:off 1:off 2:on 3:on 4:on 5:on 6:off

I didn't see any documentation as to which levels and start/stop priority it should have. Please let me know, thanks. Also, I feel as if crontab isn't functioning correctly:

8 13 * * * /etc/init.d/BlockCountries start -update

Hi tlhackque,

This is not an issue but a massive thank you for your help and writing this excellent perl script. It works like a treat with very low overhead.

My server has been plagued by hackers & spammers for nearly a year and I was going mad bailing out the ship with buckets! This is exactly what I was looking for so a million thanks. hopefully I don’t have to close my web business down now.

Once again thank you it is very much appreciated and your willingness to share it is the true spirit of the original internet.