Debian/Linux – automatically block all connections from Russia and China

Debian/Linux – automatically block all connections from Russia and China

I had already published a comprehensive article about a firewall script that is supposed to prevent flooding attacks and port scans, among other things.

However, it is also possible to block entire countries from the outset – without IP lists. Of course, such IP lists would then no longer need to be updated.

The current usual suspects or uninvited guests are in most cases Russia, Belarus and China. For this reason I have adapted the script from the original post accordingly.

IPs from Russia, Belarus and China are automatically blocked in this example. However, an exception is made for IPs from Cloudflare. Since cronjobs are limited to 1 time per minute, the script uses a little trick whereby it runs for a maximum of 55 seconds. The last 5 seconds were left free to avoid overlaps.

If you want it even more “aggressive” you can use a lockfile.

All this is too complicated for you? You can installthe block script including the cronjob with this tutorial or book me via my contact form for a reasonable hourly rate.


First we have to make sure that all needed packages are installed:

apt-get update && apt-get install -y sudo && apt-get install -y geoip-bin && apt-get install -y iptables && apt-get install -y whois && apt-get install -y iptables-persistent && apt-get install -y net-tools

After that we create the needed files, give file permissions and open the file.

touch /root/ && touch /root/test.log && touch /root/testcc.txt && chmod 775 /root/test.log && chmod 775 /root/testcc.txt && chmod 775 /root/ && nano /root/

In the file opened by nano we paste the following code. Attention the email address in the code should be changed.


while [ $SECONDS -lt $end ]; do

echo "Shellscript powered by"
#bad countries RU CN BLR - limit 1
netstat -ant | egrep ':.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c > testcc.txt
sed 's/^[ t]*//' -i testcc.txt
sed '/^$/d' -i testcc.txt
while read c d; do
    if [[ $c > "0" ]]; then

bGF1dGVuYmFjaGVyLmlv=$(geoiplookup $d | awk -v ip="$d" '{FS=" "} {if($4 == "RU," || $4 == "CN," || $4 == "BLR,") {print 1}}')

 if [[ $bGF1dGVuYmFjaGVyLmlv = "1" ]]; then
echo "running geolookup"
bGF1dGVuYmFjaGVyLmlX=$(whois $d)
echo checking ip $d
geoiplookup $d

echo try to add ip $d to blocklist

if [[ "$bGF1dGVuYmFjaGVyLmlX" == *"CLOUDFLARE "* ]]; then
echo Cloudflare detected

if [[ "$whoisvar" != 1 ]]; then
sudo iptables -I INPUT -s $d -j DROP
whois=$(whois $d)
mail -s 'Warning Message regarding '$d [email protected] <<< $d' bad country host exceeded the connection limit of 1'$whois
echo blocking $d


done < testcc.txt

sleep 1

I recommend everyone to test the script executability briefly and run the script manually:


If this worked we create the cronjob:

crontab -e

We add the following line:

*/1 * * * /root/ > /dev/null 2>&1

With this everything is already done and the script fulfills its purpose.

2 Antworten zu “Debian/Linux – automatically block all connections from Russia and China”

  1. Would this also work for RedHat Linux? Looking at the code it seems pretty vanilla.


Leave a Reply

Your email address will not be published. Required fields are marked *