In my previous post I have showed how to easily generate IP range assigned to some country. I have modified this previous script to generate IP blocks for all countries and put it online for free download and usage.
You can find them here http://www.iwik.org/ipcountry/ This list is generated daily at 12:00 CET.
This list can be used for example on mikrotik router to block/allow access from specified countries.
To import country range, for example Slovak ranges, as firewall address-list use commands
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/SK /import file-name=SK
UPDATE:
IPv6 is now supported and script also generates IPv6 firewall address list. See http://blog.erben.sk/2019/12/11/country-ipv6-ranges/
UPDATE 2:
I have found, it can be usefull also for HAProxy http://blog.erben.sk/2020/12/02/haproxy-country-filtering-acl/
Hi thanks for these lists. All the best Paul
thanks for this, helped me a lot 🙂
I compared your AF list to one from IP2Location and your’s is very short. Can you explain why?
Hi, in previous post you can see script to generate rage for specific country. It is based on data provided by Regional Internet Registries (RIR, eg. RIPE, ARIN…). At lower lever (LIR) sometimes small subnets are sub-alocated to other countries and this ranges can be missing in this list. Other services (like IP2Location) are probably using aditional sources (geoip database?) to extend their lists.
Meanwhile I have found similar service for free with extented sources of data, check https://ip.ludost.net/
Hi,
On this website, they provides aggregated route : http://ipdeny.com/ipblocks/ If you could update your script to pull the data from this website it would be very usefull. It would reduce the load on our Mikrotik router instead of having 6900 routes there is 3600 routes once aggregated.
Thx !
Hi, you can find php script which generates mikrotik rules from country lists here http://www.iwik.org/ipcountry/mikrotik.phps
You can edit it to download IP list from url you need and then put it on some (your) php hosting. I will not do that, because I don’t want my server doing requests to ipdeny server.
Hi Thank you for this site, it makes life so easy and I am glad that you are hosting this for the community, I have however noted one issue, If it sees a duplicate the script stops running it doesn’t finish the whole list. Do you have a work around for this? Thank you
Mario
Hey! Thank you very much for your work!
I have a little problem, and I hope you could help me 🙂
Scope: I need to get several coutntries IP’s and put them in one list (White_list), so I decided to download your script, litle modified it and uploaded it on my hosting.
The problem is that my url “http://mydomain.com/mikrotik/GB” does not work, it works only with url like “http://mydomain.com/mikrotik/index.php?country=GB” but in this case in the router file list i get file with name “index.php?country=GB”
I think there is some .htaccess solution or something else..
Yes, right – simple rewrite rule in .htaccess will do it:
RewriteEngine On
RewriteRule ^mikrotik/(.*)$ index.php?country=$1
Then “mikrotik” is not real folder, but url http://someting/mikrotik/GB will be same as http://something/index.php?country=GB
Thank you so much!
You saved my day! IT works! 🙂
Now, this is a nice idea of course, but you should explain about the major security risk which users will create when using your scripts directly on their mikrotik routers.
At any point in time you might add commands to those scripts which can do totally different things than only modifying address list. I mean you could be opening up ports or adding users, etc…
Now assuming that you are uploading these generated scripts to iwik.org:
You might have good intentions uploading the scripts to that web, but what if someone gets access to the bucket which contains all those scripts and uploads different versions which can do harm.
In general the idea is nice, the execution however is not so well done as seen from a security perspective.
I don’t expect you to post a fix for this, as when I decide to use something like this, I will build this on my own. But you should at least mention the fact that using these scripts from iwik.org without some very well done sanity checking is a major security risk.
From Uruguay: Thank you very much
Hi,
I need a country IP Network List. While i am surfing on the internet, i saw your web address named http://www.iwik.org/ipcountry/. I have a question for this. Are they updated list for the whole network of any country ? Can you help me for that ?
Thanks for your interest,
Thank you…
Can you add address block 5.39.220.3 to Netherlands?
I am getting port scans from there and according to whois its located in NL.
Thanks
Hi, it is already in list. It belongs into range 5.39.216.0/21
Hi, if run import on MikroTik device, when error: failure: already have such entry
RSC:
:foreach i in={“AM”; “AT”; “AZ”; “BE”; “BY”; “CA”; “CH”; “CZ”; “DE”; “DK”; “EE”; “ES”; “EU”; “FI”; “FR”; “GB”; “GE”; “IE”; “IL”; “IT”; “KG”; “KZ”; “LI”; “LT”; “LU”; “LV”; “MD”; “MK”; “PL”; “PT”; “RO”; “RU”; “SE”; “SZ”; “TM”; “TR”; “UA”; “UZ”; “NL”; “US”; “TH”} do={
#/tool fetch url=”http://www.iwik.org/ipcountry/mikrotik/$i” mode=http;
/import file-name=$i;
}
Thank you for your work – unfortunately we still have to support RDP into some workstations for our clients, and setting an allow line for our country seriously reduces the automated foreign attacks. =)
Hi, thank you for your service, a very valuable thing. But there is a supplement. Lacking a separate file in Central Asia, the Former Soviet Union and other United countries
Hello,
Very Good .
Special thanks .
But I have a problem = How I can Update this list in my firewall Address Lists ?
Can I do this work automatically ?
I am not able to find the IP of UK and UAE.
Can you provide same.
Thanks in advance.
Hi, try again. There is iso standard for country codes:
https://en.wikipedia.org/wiki/ISO_3166-1 or http://data.okfn.org/data/core/country-list
Use mikrotik scheduler. https://www.youtube.com/watch?v=eVe1iOIVyYY
Thanks alot
Thanks, It also works on Tixati by adding the URL into IP Filter
Is possible generate a IPv6 cidr ??
in same way.
Hi everyone , im fairly new into this.
im Running the script on my Mikrotik for Canada. i got a few connections attemps on my IP phone system from a adress starting with 185.x.x.x , but i dont see that range into the script file.
can you explain to me how its work? did i receive connection attemps from 185.x.x.x because it is not in the file itself ?
thanks
Hi, all.
1) IPV6 it could be possible, but I didn’t figure out how to compute ipv6 mask easily
2) After you import address list, you should use this list in firewall rules.
Hi
I also found your awesome list of ip’s (http://www.iwik.org/ipcountry/)
I want to add the ip’s for denmark to htaccess so only visitors from denmark are allowed, but i need it to be automated so i can just ask CRON to call a php page and the list is updated automatic
i know that it would need to remove a section from htaccess and then insert a new BUT updated section
i just cant find any good guides on google on how to do it
i like the idea that a section is inserted and replaced as this allow me to have a section that allows google servers after your list so they are not blocked
can you help out maybe?
i made some progress
i managed to stitch together a php page that gets the list of ip’s from you and remove the first line and add the word allow to each line
now i just need to figure the htaccess part
my php page that downloads the list, it also adds a 1 to the end of each file
$url,
// CURLOPT_BINARYTRANSFER => 1, — No effect from PHP 5.1.3
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_FILE => $file,
CURLOPT_TIMEOUT => 50,
CURLOPT_USERAGENT => ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)’
]);
$response = curl_exec($curl);
if($response === false) {
// Update as of PHP 5.3 use of Namespaces Exception() becomes \Exception()
throw new \Exception(‘Curl error: ‘ . curl_error($curl));
}
$response; // Do something with the response.
$handle = fopen(“DK.cidr”, “r”);
$first = fgets($handle,2048); #get first line.
$outfile=”temp”;
$o = fopen($outfile,”w”);
while (!feof($handle)) {
$buffer = fgets($handle,2048);
fwrite($o,$buffer);
}
fclose($handle);
fclose($o);
rename($outfile,”dk.txt”);
$lines = file(“dk.txt”, FILE_IGNORE_NEW_LINES);
$lines = array_map(function($v){return $v . ” 1″ . PHP_EOL;}, $lines);
file_put_contents(“dk.txt”, $lines);
unlink(‘DK.cidr’);
?>
i then followed this link: https://stackoverflow.com/questions/15579620/how-to-block-100-000-individual-ip-addresses
adding this to htaccess:
RewriteEngine On
RewriteMap deny_ips txt:/path/to/deny_ips.txt
RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0
RewriteRule ^ – [L,F]
but i get a wrong server config page 🙁
webhoster was quick to reply
just add this to htaccess they say:
Require ip 69.46.36.0/27
Require ip 192.0.2.1
but i guess they have not thought how much work it would be to update the htaccess file like that
Hi, don’t make huge .htaccess with many IPs. Check this article http://blog.erben.sk/2018/07/20/using-mod_geoip-in-htaccess/
only problem is that i cant install things on the server, the page is on a hosting company
will ask if they have the module geoip
but its dinner time to will have to get back in a few hours
but it was fun just to get the list and have it done automatic
no reply from unoeuro.com 🙁
so i guess its a no go for me
Please implement an IPv6 version of your -awesome- service!?
Easy IPv6 (and IPv4) address and mask manipulation from within Python; in Python 3.3 and up use “ipaddress” from the standard library. A port of the 3.3+ ipaddress module to 2.6, 2.7, 3.2 is available from https://pypi.org/project/ipaddress/ . The Python 3.3+ ipaddress.py is based on the ipaddr.py from Google. The Python ipaddress.py library officially superseeds the (now defunkt) Google ipaddr.py library: see: https://github.com/google/ipaddr-py
Hi all.
I have error with insertion of address in list FR & NL
seems to have 2 entry the same causing error in insertion
Is EU superset of all EU countries IPs ? If so why are some IP ranges from Si missing in EU?
Добрыйдень!
У меня проблема со второй строкой
/ip firewall address-list
remove [/ip firewall address-list find list=RU]
Ошибка. Нет пробела между address-list и remove
Можете добавить пробел после между address-list?
Hi
sorry bad english
I have Error in 2 string
/ip firewall address-list
remove [/ip firewall address-list find list=RU]
No SPACE between address-list and remove
Please add space
site seems to now be down any update on where to get the list.. i have commented out the download for now and just loading an old copy
as for your issue above try all on one line no spaces.. if you are editing in dos or
windows strip of the crlf
/put [/system clock get date]
put “cleaning out old address lists”
/ip firewall address-list remove [/ip firewall address-list find list=Whitelist]
/ip firewall address-list remove [/ip firewall address-list find list=Blacklist]
/ip firewall address-list remove [/ip firewall address-list find list=OtherSubnetIPs]
/ip firewall address-list remove [/ip firewall address-list find list=RU]
/ip firewall address-list remove [/ip firewall address-list find list=RU2]
/ip firewall address-list remove [/ip firewall address-list find list=CN]
/ip firewall address-list remove [/ip firewall address-list find list=KZ]
/ip firewall address-list remove [/ip firewall address-list find list=BR]
/ip firewall address-list remove [/ip firewall address-list find list=DNS_DOS]
/ip firewall address-list remove [/ip firewall address-list find list=wifi_routers]
1) Hi, in RU there are two overlapping subnets and script on mikrotik stopped. I have fixed it with solution from mikrotik forum.
2) Reverse proxy was not running, now is site online again.
Hello, there appears to be a problem with this. Adress list is not loading on any mikrotik. I looked at your file and it appears that syntax is wrong. 29.4.2020 at 2:00 UTC it loaded fine but today at the same time adresses are not beeing fetched.
Hi, i am using it a few months, but from today the script not working.. Script download the file, remove adresses from list, but did not add a new IPs from the list.. What is the problem? Thank you guys to help..
I have merged that remove command to one line. But it broked add rules, which I have fixed, but broken scripts stayed cached for 24 hours – that is issue what you have seen
Hello,
can you add 90.64.0.0/18 to SK range ? (Orange DSL)
Thanks
Hi, no I can not add any ranges manually. It is generated from RIPE database https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest and that range is from line “ripencc|FR|ipv4|90.0.0.0|8388608|20060302|allocated”
Yes, it seems to be incorrect now, but I don’t think ripe will fix it either. Their statement in readme is “The RIPE Network Management Database contains information about IP address
space allocations and assignments. This information also indicates the country
where resources were first allocated or assigned. However it is not intended
that the data be considered as an authoritative statement of the location
where any specific resource may currently be in use.”
Hi,
please update LV country ip from this source http://nic.lv/local.net
Please update AT country ip from ftp://ftp.ripe.net/pub/stats/ripencc/
china CN and russia RU are missng, probably others .. any ideas..
at least for the microtek version
http://www.iwik.org/ipcountry/mikrotik/CN