Block Chinese IP Ranges with iptables



Blocking all IP addresses from China requires adding IP ranges associated with the country to your `iptables` rules. Here’s how to do it:

### 1. Obtain IP Ranges for China

You’ll first need a list of all IPv4 (and optionally IPv6) ranges associated with China. Services like [IPdeny](http://www.ipdeny.com/ipblocks/) and [Country IP Blocks](https://www.countryipblocks.net/) provide these lists in CIDR format. You can download the list for China (`cn.zone`) from IPdeny:

```bash
wget -O cn.zone http://www.ipdeny.com/ipblocks/data/countries/cn.zone
```

This file contains a list of Chinese IP blocks in CIDR notation.

### 2. Block Chinese IP Ranges with `iptables`

Once you have the list, you can use a script to loop through each IP range and add a rule to block it with `iptables`.

```bash
#!/bin/bash
# Block all IPs from China
for ip in $(cat cn.zone); do
    sudo iptables -A INPUT -s $ip -j DROP
done
```

Save this script as `block_china.sh`, give it execute permissions, and run it:

```bash
chmod +x block_china.sh
sudo ./block_china.sh
```

### Explanation

- **`-A INPUT`**: Adds each rule to the INPUT chain to block incoming traffic.
- **`-s $ip`**: Specifies each IP range to block.
- **`-j DROP`**: Drops packets from the specified IP range.

### 3. Make Rules Persistent

To save these rules so they persist across reboots, use:

- **On Ubuntu/Debian**: `sudo iptables-save > /etc/iptables/rules.v4`
- **On CentOS/RHEL**: `service iptables save`

### IPv6 Blocking (Optional)

If you need to block IPv6 addresses as well, download the IPv6 ranges and use `ip6tables` in a similar script.

This setup will effectively block traffic from all IP addresses associated with China, but be aware it may require periodic updates, as IP ranges can change over time.