Skip to content

Country CIDR IP ranges

In my previous post I have showed how to easily generate IP range assigned to some country. I have modified this previous script to generate IP blocks for all countries and put it online for free download and usage.

You can find them here http://www.iwik.org/ipcountry/ This list is generated daily at 12:00 CET.

This list can be used for example on mikrotik router to block/allow access from specified countries.

To import country range, for example Slovak ranges, as firewall address-list use commands

/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/SK
/import file-name=SK

mikrotik-country-fw

UPDATE:

IPv6 is now supported and script also generates IPv6 firewall address list. See http://blog.erben.sk/2019/12/11/country-ipv6-ranges/

UPDATE 2:

I have found, it can be usefull also for HAProxy http://blog.erben.sk/2020/12/02/haproxy-country-filtering-acl/

57 thoughts on “Country CIDR IP ranges”

  1. I compared your AF list to one from IP2Location and your’s is very short. Can you explain why?

  2. Hi, in previous post you can see script to generate rage for specific country. It is based on data provided by Regional Internet Registries (RIR, eg. RIPE, ARIN…). At lower lever (LIR) sometimes small subnets are sub-alocated to other countries and this ranges can be missing in this list. Other services (like IP2Location) are probably using aditional sources (geoip database?) to extend their lists.
    Meanwhile I have found similar service for free with extented sources of data, check https://ip.ludost.net/

  3. Hi,

    On this website, they provides aggregated route : http://ipdeny.com/ipblocks/ If you could update your script to pull the data from this website it would be very usefull. It would reduce the load on our Mikrotik router instead of having 6900 routes there is 3600 routes once aggregated.

    Thx !

  4. Hi Thank you for this site, it makes life so easy and I am glad that you are hosting this for the community, I have however noted one issue, If it sees a duplicate the script stops running it doesn’t finish the whole list. Do you have a work around for this? Thank you

    Mario

  5. Hey! Thank you very much for your work!

    I have a little problem, and I hope you could help me 🙂

    Scope: I need to get several coutntries IP’s and put them in one list (White_list), so I decided to download your script, litle modified it and uploaded it on my hosting.

    The problem is that my url “http://mydomain.com/mikrotik/GB” does not work, it works only with url like “http://mydomain.com/mikrotik/index.php?country=GB” but in this case in the router file list i get file with name “index.php?country=GB”

    I think there is some .htaccess solution or something else..

  6. Now, this is a nice idea of course, but you should explain about the major security risk which users will create when using your scripts directly on their mikrotik routers.

    At any point in time you might add commands to those scripts which can do totally different things than only modifying address list. I mean you could be opening up ports or adding users, etc…

    Now assuming that you are uploading these generated scripts to iwik.org:
    You might have good intentions uploading the scripts to that web, but what if someone gets access to the bucket which contains all those scripts and uploads different versions which can do harm.

    In general the idea is nice, the execution however is not so well done as seen from a security perspective.

    I don’t expect you to post a fix for this, as when I decide to use something like this, I will build this on my own. But you should at least mention the fact that using these scripts from iwik.org without some very well done sanity checking is a major security risk.

  7. Hi,
    I need a country IP Network List. While i am surfing on the internet, i saw your web address named http://www.iwik.org/ipcountry/. I have a question for this. Are they updated list for the whole network of any country ? Can you help me for that ?

    Thanks for your interest,
    Thank you…

  8. Can you add address block 5.39.220.3 to Netherlands?
    I am getting port scans from there and according to whois its located in NL.
    Thanks

  9. RSC:
    :foreach i in={“AM”; “AT”; “AZ”; “BE”; “BY”; “CA”; “CH”; “CZ”; “DE”; “DK”; “EE”; “ES”; “EU”; “FI”; “FR”; “GB”; “GE”; “IE”; “IL”; “IT”; “KG”; “KZ”; “LI”; “LT”; “LU”; “LV”; “MD”; “MK”; “PL”; “PT”; “RO”; “RU”; “SE”; “SZ”; “TM”; “TR”; “UA”; “UZ”; “NL”; “US”; “TH”} do={
    #/tool fetch url=”http://www.iwik.org/ipcountry/mikrotik/$i” mode=http;
    /import file-name=$i;
    }

  10. Thank you for your work – unfortunately we still have to support RDP into some workstations for our clients, and setting an allow line for our country seriously reduces the automated foreign attacks. =)

  11. Hi, thank you for your service, a very valuable thing. But there is a supplement. Lacking a separate file in Central Asia, the Former Soviet Union and other United countries

  12. Hello,
    Very Good .
    Special thanks .

    But I have a problem = How I can Update this list in my firewall Address Lists ?
    Can I do this work automatically ?

  13. Rajat CopuBrain

    I am not able to find the IP of UK and UAE.
    Can you provide same.
    Thanks in advance.

  14. Hi everyone , im fairly new into this.

    im Running the script on my Mikrotik for Canada. i got a few connections attemps on my IP phone system from a adress starting with 185.x.x.x , but i dont see that range into the script file.

    can you explain to me how its work? did i receive connection attemps from 185.x.x.x because it is not in the file itself ?

    thanks

  15. Hi, all.
    1) IPV6 it could be possible, but I didn’t figure out how to compute ipv6 mask easily
    2) After you import address list, you should use this list in firewall rules.

  16. Hi

    I also found your awesome list of ip’s (http://www.iwik.org/ipcountry/)

    I want to add the ip’s for denmark to htaccess so only visitors from denmark are allowed, but i need it to be automated so i can just ask CRON to call a php page and the list is updated automatic

    i know that it would need to remove a section from htaccess and then insert a new BUT updated section

    i just cant find any good guides on google on how to do it

    i like the idea that a section is inserted and replaced as this allow me to have a section that allows google servers after your list so they are not blocked

    can you help out maybe?

  17. i made some progress

    i managed to stitch together a php page that gets the list of ip’s from you and remove the first line and add the word allow to each line

    now i just need to figure the htaccess part

  18. my php page that downloads the list, it also adds a 1 to the end of each file

    $url,
    // CURLOPT_BINARYTRANSFER => 1, — No effect from PHP 5.1.3
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_FILE => $file,
    CURLOPT_TIMEOUT => 50,
    CURLOPT_USERAGENT => ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)’
    ]);

    $response = curl_exec($curl);

    if($response === false) {
    // Update as of PHP 5.3 use of Namespaces Exception() becomes \Exception()
    throw new \Exception(‘Curl error: ‘ . curl_error($curl));
    }

    $response; // Do something with the response.

    $handle = fopen(“DK.cidr”, “r”);
    $first = fgets($handle,2048); #get first line.
    $outfile=”temp”;
    $o = fopen($outfile,”w”);
    while (!feof($handle)) {
    $buffer = fgets($handle,2048);
    fwrite($o,$buffer);
    }
    fclose($handle);
    fclose($o);
    rename($outfile,”dk.txt”);

    $lines = file(“dk.txt”, FILE_IGNORE_NEW_LINES);
    $lines = array_map(function($v){return $v . ” 1″ . PHP_EOL;}, $lines);
    file_put_contents(“dk.txt”, $lines);

    unlink(‘DK.cidr’);

    ?>

    i then followed this link: https://stackoverflow.com/questions/15579620/how-to-block-100-000-individual-ip-addresses

    adding this to htaccess:

    RewriteEngine On
    RewriteMap deny_ips txt:/path/to/deny_ips.txt

    RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0
    RewriteRule ^ – [L,F]

    but i get a wrong server config page 🙁

  19. webhoster was quick to reply

    just add this to htaccess they say:

    Require ip 69.46.36.0/27
    Require ip 192.0.2.1

    but i guess they have not thought how much work it would be to update the htaccess file like that

  20. only problem is that i cant install things on the server, the page is on a hosting company

    will ask if they have the module geoip

    but its dinner time to will have to get back in a few hours

    but it was fun just to get the list and have it done automatic

  21. Please implement an IPv6 version of your -awesome- service!?

    Easy IPv6 (and IPv4) address and mask manipulation from within Python; in Python 3.3 and up use “ipaddress” from the standard library. A port of the 3.3+ ipaddress module to 2.6, 2.7, 3.2 is available from https://pypi.org/project/ipaddress/ . The Python 3.3+ ipaddress.py is based on the ipaddr.py from Google. The Python ipaddress.py library officially superseeds the (now defunkt) Google ipaddr.py library: see: https://github.com/google/ipaddr-py

  22. Александр

    Добрыйдень!
    У меня проблема со второй строкой
    /ip firewall address-list
    remove [/ip firewall address-list find list=RU]
    Ошибка. Нет пробела между address-list и remove
    Можете добавить пробел после между address-list?

  23. Hi
    sorry bad english
    I have Error in 2 string
    /ip firewall address-list
    remove [/ip firewall address-list find list=RU]
    No SPACE between address-list and remove

    Please add space

  24. site seems to now be down any update on where to get the list.. i have commented out the download for now and just loading an old copy

    as for your issue above try all on one line no spaces.. if you are editing in dos or
    windows strip of the crlf

    /put [/system clock get date]
    put “cleaning out old address lists”
    /ip firewall address-list remove [/ip firewall address-list find list=Whitelist]
    /ip firewall address-list remove [/ip firewall address-list find list=Blacklist]
    /ip firewall address-list remove [/ip firewall address-list find list=OtherSubnetIPs]
    /ip firewall address-list remove [/ip firewall address-list find list=RU]
    /ip firewall address-list remove [/ip firewall address-list find list=RU2]
    /ip firewall address-list remove [/ip firewall address-list find list=CN]
    /ip firewall address-list remove [/ip firewall address-list find list=KZ]
    /ip firewall address-list remove [/ip firewall address-list find list=BR]
    /ip firewall address-list remove [/ip firewall address-list find list=DNS_DOS]
    /ip firewall address-list remove [/ip firewall address-list find list=wifi_routers]

  25. 1) Hi, in RU there are two overlapping subnets and script on mikrotik stopped. I have fixed it with solution from mikrotik forum.
    2) Reverse proxy was not running, now is site online again.

  26. Hello, there appears to be a problem with this. Adress list is not loading on any mikrotik. I looked at your file and it appears that syntax is wrong. 29.4.2020 at 2:00 UTC it loaded fine but today at the same time adresses are not beeing fetched.

  27. Hi, i am using it a few months, but from today the script not working.. Script download the file, remove adresses from list, but did not add a new IPs from the list.. What is the problem? Thank you guys to help..

  28. I have merged that remove command to one line. But it broked add rules, which I have fixed, but broken scripts stayed cached for 24 hours – that is issue what you have seen

  29. Hi, no I can not add any ranges manually. It is generated from RIPE database https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest and that range is from line “ripencc|FR|ipv4|90.0.0.0|8388608|20060302|allocated”
    Yes, it seems to be incorrect now, but I don’t think ripe will fix it either. Their statement in readme is “The RIPE Network Management Database contains information about IP address
    space allocations and assignments. This information also indicates the country
    where resources were first allocated or assigned. However it is not intended
    that the data be considered as an authoritative statement of the location
    where any specific resource may currently be in use.”

Leave a Reply

Your email address will not be published. Required fields are marked *