How to make server access only from Russia in iptables without geoip?

A

Anton Artyomov2017-04-11 15:15:22

linux

Anton Artyomov, 2017-04-11 15:15:22

Good time.
I do not consider geoip.
From here , ripe.net parsed all Russian subnet addresses.
If I disable everything in /etc/sysconfig/iptables and only allow this:

-A INPUT -s 2.60.0.0/14,2.92.0.0/14,...62 тыщи подсетей...,213.110.224.0/19,217.71.128.0/20  -j ACCEPT

... well, plus Google subnets for site indexing ...
Is it normal to stuff 62 thousand subnets into a rule in /etc/sysconfig/iptables? Or should I tear my hands off for this? Tell me, please.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Ruslan Fedoseev, 2017-04-11
@ArtyomovAnton

man ipset
otherwise your next question will be - why is everything so slow.
Because every packet goes through 62k checks....

S

Sergey Sokolov, 2017-04-11
@sergiks

You can run all your traffic through CloudFlare and hope the bad guys don't remember your direct IP.
Then "the whole world" will communicate with the muzzle of CF, which can cut off DDOS and other suspicious activities.