Blocking non-US IPs?

[mrl72]

Can anyone recommend a method/service for blocking access to non US IP addresses? I've tried a couple of web services but nothing 100% reliable.

Thanks!

[thorfjalar]

Do you need to block access from personal computer to websites with non-US IP or block access to website from computers with non-US IP?

[Tech Manager]

Quote:

Originally Posted by mrl72

Can anyone recommend a method/service for blocking access to non US IP addresses? I've tried a couple of web services but nothing 100% reliable.

Thanks!

Sure thing. Go to Country IP Blocks. You can create your country specific access control lists in seven different formats. You can select one or all 247 different countries and instantaneously generate .htaccess deny/allow lists or produce lists to meet your formatting needs.

The database contains information on 4.3 billion IP addresses and is completely refreshed each day with the latest RIR information.

Country IP Blocks: Network Allocations by Country with Searchable IP Database

[Clint1]

Quote:

Originally Posted by mrl72

Can anyone recommend a method/service for blocking access to non US IP addresses? I've tried a couple of web services but nothing 100% reliable.

Thanks!

I use cPanel's "IP Deny" area which adds entries to the .htaccess file. This is only on Unix/Apache servers though.

[kgun]

Quote:

Originally Posted by Clint1

I use cPanel's "IP Deny" area which adds entries to the .htaccess file. This is only on Unix/Apache servers though.

Interesting. What is your experience with it?

[Clint1]

It works fine. However, (LONG story short), there's some serious bugs with regards to that in combination with Hot Link Protection. If you don't use HL Protection, you're ok. Otherwise you have to manually edit the htaccess file forget about the cPanel easy-edit interfaces. So I just manually paste IP's or partial IP's in the htaccess file.

deny from 123. blocks everything beginning with "123". deny from 124.567.890 only blocks that specific IP address.

[netman4ttm]

We block at the firewall. Using PF from BSD, but any decent Firewall can be used.

[kgun]

"The future is here. It's just not evenly distributed.

Hm.

IMO it is too early to know the future.

[netman4ttm]

This is a quick and dirty example of pf blocking a specific ip range using pf on FreeBSD This was for the ftp port
same line except of course port 80
block in on $ext_if proto tcp from 118.107.162.0/24 to port 21

TAKEN from this setup

set block-policy return
ext_if=bge0
int_if=bge1
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"
scrub in all
block in on $ext_if

set skip on lo
pass inet proto icmp all icmp-type $icmp_types keep state
pass quick inet proto { tcp, udp } to any port $udp_services
pass in on $int_if proto tcp from any to $int_if port 53
pass in on $int_if proto udp from any to $int_if port 53
pass in on $int_if proto tcp from any to $int_if port 80
pass in on $int_if proto udp from any to $int_if port 80
pass in on $int_if proto tcp from any to $int_if port 22
pass in on $int_if proto tcp from any to any port 21 keep state
pass in on $int_if proto tcp from any to any port > 30000 keep state
pass out on $int_if proto { tcp, udp } all

pass in on $ext_if proto tcp from any to $ext_if port 53
pass in on $ext_if proto udp from any to $ext_if port 53
pass in on $ext_if proto tcp from any to $ext_if port 80
pass in on $ext_if proto udp from any to $ext_if port 80
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 30000 keep state
pass out on $ext_if proto { tcp, udp } all
block in on $ext_if proto tcp from 118.107.162.0/24 to port 21
antispoof for $ext_if
antispoof for $int_if

[sfatula]

Keeping in mind of course that the saavy overseas "shopper" can just as easily use a web proxy and still get to your site.

[netman4ttm]

Quote:

Originally Posted by sfatula

Keeping in mind of course that the saavy overseas "shopper" can just as easily use a web proxy and still get to your site.

True but since you are a wary sys admin you would be watching your logs and add the offending ip number to your deny.

[kgun]

Disallow all and then allow US's IP's.

More info here from a Norwegian Ip: Network and System Administration I 10

[sfatula]

Of course a good system admin would locate offenders if they were on top of things. I merely wanted to point out that it isn't fail-safe by itself. I know you know that, for others.

It's definitely a cat and mouse game. Of course, the same applies not only to web services, but, email and other services. That's why the firewall is a better choice than simply adding to .htaccess

[kgun]

Yes, and there are foreigners signing up on Norwegian Ip's. That must be a much bigger problem to the USA, but there may be some hosters to avoid

[Superaff]

Quote:

Originally Posted by mrl72

Can anyone recommend a method/service for blocking access to non US IP addresses? I've tried a couple of web services but nothing 100% reliable.

Thanks!

You can try either paid or free proxies. These proxy sites will mask your non-US IP addresses. I hope this helps.

[NetProwler]

There is a caveat when you use the Apache's directives in a .htaccess file to allow only the US IP address. The directives run to a few thousand lines. Your HTTP server has to process this for every visitor and that can slow down your server. The best place to block unwanted elements is at the firewall.

For dynamic sites, extra load involved in processing long .htaccess files can sometimes result in transient overload.

[Clint1]

Quote:

Originally Posted by Superaff

You can try either paid or free proxies. These proxy sites will mask your non-US IP addresses. I hope this helps.

Strange that after all this time, the OP has never shown up again since their first post. I believe what they were asking, as what the others apparently also believe, is regarding blocking bad bots and suspect IP ranges from getting access to their website. What you're talking about is personal computer IP address cloaking.

[Clint1]

Quote:

Originally Posted by NetProwler

There is a caveat when you use the Apache's directives in a .htaccess file to allow only the US IP address. The directives run to a few thousand lines. Your HTTP server has to process this for every visitor and that can slow down your server. The best place to block unwanted elements is at the firewall.

For dynamic sites, extra load involved in processing long .htaccess files can sometimes result in transient overload.

That will only work if you "have your host's ear" and they'll add IP addresses to the server's firewall at each of your requests. Or, if you have your own personal server.

I'm no expert on Apache nor htaccess, but adding a new entry is only:
deny from x
Where "x" is the IP address, or partial address. Are you saying that creating one of those adds thousands of other lines elsewhere? The block only applies to PC with the tagged IP.

[NetProwler]

Quote:

I'm no expert on Apache nor htaccess, but adding a new entry is only:
deny from x
Where "x" is the IP address, or partial address. Are you saying that creating one of those adds thousands of other lines elsewhere? The block only applies to PC with the tagged IP.

In this case we will assume that we block all and then allow only the country IP addresses we are interested in (standard operating procedure in setting up the rules in a firewall or with .htaccess).

For allowing only IP addresses coming from the US, you will have to factor in this:

# Country: UNITED STATES
# ISO Code: US
# Total Networks: 36,549
# Total Subnets: 1,460,108,286

The listing of all these network segments will run into a few thousand lines.

[Clint1]

Quote:

Originally Posted by NetProwler

In this case we will assume that we block all and then allow only the country IP addresses we are interested in (standard operating procedure in setting up the rules in a firewall or with .htaccess).

For allowing only IP addresses coming from the US, you will have to factor in this:

# Country: UNITED STATES
# ISO Code: US
# Total Networks: 36,549
# Total Subnets: 1,460,108,286

The listing of all these network segments will run into a few thousand lines.

When you say "in this case", do you mean what the OP asked? If so, there's no way of knowing for sure since they have disappeared. But the sentiments of the thread seem to imply they wanted to add blocks on specific regions instead of allowing specific regions. After all, it's must easier (I assume) to add IP block ranges.

[faststarter]

I believe there are a lot of scripts out there, I know some use the .htaccess thing in their index and directories.

But sometimes it depends on what's supported in your web hosting. And I think I have that feature easily handed.

Visit my free professional web hosting service below.