We help IT Professionals succeed at work.

How to block IPs from outside a particular country?

I have seen some websites which actually block access from outside  a particular region. I have a client who wants to block access for outside people. Can somebody tell me how to achieve this functionality?
Comment
Watch Question

Top Expert 2010
Commented:
Is this host based software firewall (iptables, windows firewall) or a hardware based firewall (Cisco ASA, Cisco Router with firewall features, etc); you can even block by other methods, .htaccess, etc. Yes, you can block certain countries:

Several lists are here
http://www.countryipblocks.net/

Billy

Author

Commented:
Now the problem here is .HTaccess allows to block certain countries but my client wants something like "Every country should be blocked outside US". In that case  more optimized confiuration would be to allow certain IP ranges and block everything else.

Do you happen to know anything  works in this manner??

W_H

Commented:
I recommend you to do that on your firewall. there should be an option for you to set IP range, even AS number to access specific IP address/subnet.

Author

Commented:
OK.I am not a biggie on network and I, at the moment, don't have access to my Windows server but let's be basic. I am looking at my Windows vista Firewall. Should I be seeing those options here?? If yes, then where?
W_H
Commented:
for the level you want to control, frewall on windows would not be able to fulfilled. you need to at least do that on the router or firewall on your network.

If you really want to do that on a software firewall, you could do that but required hugh amount of time on setting what you need as they don't have that level of support on network control.

Vista firewall can on;y protect your windows from normal instance but not a useful configurable control.

Author

Commented:
SO, if I am having a .NEt applicaiton then I have to write this IP blocking login inside my Web. config to have it blocked ? Isn' t there a third party network configuration tool or some Windows componnet that can help me with this??
I am basically confused about here should I start? At the application level, at the router level or at the operating system level??
First. You will never ever be able to do this 100% correct. I'm responsible for handing out IP-numbers from a pool of IP-numbers that is from PI-space (provider independable). These IP-numbers can be handed out to an organisation that can be based where ever they are, or move to on earth. That said. Most of the IP-numbers are mostly regional and these numbers you could block in respect to country.

You might want to check out GeoIP. There are a lot of places around the net who is offering this as a service. Here is one I dug up from google. You need GeoIP library and an apache server.
http://www.maxmind.com/app/mod_geoip

Here is a free list of IP's per country. You could use this to do a .htaccess
http://software77.net/geo-ip/

For an quick way to try it out you could test this.
http://blockacountry.com/

Just select all in the list and then deselect US and your good to go.

OBS! Beware of the size. about 50000 entrys. I don't know the impact of your webserver with such a large list.
W_H
Commented:
my recommendation is, let the network device to do the network part. its better to do the blocking on firewall/router than on your server as your server is already working on your .Net app. As what you want is basically a firewall function.

So if you have a hardware firewall, check if its advance enough to handle IP subnet/AS blocking.

Author

Commented:
Thannk you very much for your recommendations. They were really helpful. I will surely post whatever worked for me... :).
It hit me that (if you'll go for .htaccess) the list with 50000 entries could be aggregated. I did so and it can be reduced to a 1/5 of that. About 10000 entries.

Author

Commented:
Thank you very much guys. I almost forgot that I am yet to rate the question.