Skip to content

Country CIDR IP ranges

In my previous post I have showed how to easily generate IP range assigned to some country. I have modified this previous script to generate IP blocks for all countries and put it online for free download and usage.

You can find them here http://www.iwik.org/ipcountry/ This list is generated daily at 12:00 CET.

This list can be used for example on mikrotik router to block/allow access from specified countries.

To import country range, for example Slovak ranges, as firewall address-list use commands

/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/SK
/import file-name=SK

mikrotik-country-fw

UPDATE:

IPv6 is now supported and script also generates IPv6 firewall address list. See http://blog.erben.sk/2019/12/11/country-ipv6-ranges/

UPDATE 2:

I have found, it can be usefull also for HAProxy http://blog.erben.sk/2020/12/02/haproxy-country-filtering-acl/

57 thoughts on “Country CIDR IP ranges”

  1. Hi, I love your script and service for Country CIDR IP’s on Mikrotik devices and have just returned to it after not using it for a year or two because of a little quirk that was creating me an issue. but with ROS 7.1 my vastly more inefficient method has become a headache for me.
    However the reason I stopped using your script is because it loads the address lists into system flash or disk. This can cause them to be slower and on smaller systems like the HeX S with limited Flash, it can fill the flash crashing the box.
    I have found this can be fixed though by making the subtle change of adding a time out to the address list entry (which I currently do manually):

    :do { add address=0.0.0.0/24 list=XX timeout=60d } on-error={}

    Adding the timeout makes the list a dynamic list and loads it into RAM, making for faster lookups and load times. The downside is that it expires out after 60 days and disappears on reboot. However being that Geo IP’s should be refreshed every 30 days, I just run your script on on boot (with a 30 second delay) and on a 30 day schedule.

    Right now I have to download your IP lists manually and modify them in a txt editor before loading them onto the router (which is tedious). I was just wondering your thoughts on this, maybe your advice, or even get you to consider a change to your code (consider, not expect)?

Leave a Reply

Your email address will not be published. Required fields are marked *