US IP Whitelist Script
This repository contains a single Bash script, whitelist_us.sh, which configures the local system firewall to allow only traffic from IP ranges assigned to the United States. The script downloads IP block lists, creates ipset sets for IPv4/IPv6, and inserts iptables/ip6tables rules to drop non-US traffic.
Warning
This script modifies firewall rules and can block legitimate traffic if used incorrectly. Run it only on systems where you understand the impact. Test in a safe environment before applying to production.
Requirements
- A Debian/Ubuntu-like Linux distribution with
apt(tested on Debian/Ubuntu). sudoprivileges.- The script will install the following tools if not present:
ipset,iptables,ip6tables,wget.
Usage
Mak…
US IP Whitelist Script
This repository contains a single Bash script, whitelist_us.sh, which configures the local system firewall to allow only traffic from IP ranges assigned to the United States. The script downloads IP block lists, creates ipset sets for IPv4/IPv6, and inserts iptables/ip6tables rules to drop non-US traffic.
Warning
This script modifies firewall rules and can block legitimate traffic if used incorrectly. Run it only on systems where you understand the impact. Test in a safe environment before applying to production.
Requirements
- A Debian/Ubuntu-like Linux distribution with
apt(tested on Debian/Ubuntu). sudoprivileges.- The script will install the following tools if not present:
ipset,iptables,ip6tables,wget.
Usage
Make the script executable and run it. You can optionally restrict rules to a single TCP port.
Examples
# Block non-US traffic on all ports (default)
./whitelist_us.sh
# Block non-US traffic only on port 22 (SSH)
./whitelist_us.sh -p 22
# Show help
./whitelist_us.sh -h
What the script does
- Installs required packages (
ipset,wget,iptables) viaapt. - Downloads IPv4 and IPv6 US IP ranges from ipdeny.com and appends local/private ranges to keep internal connectivity.
- Creates two ipset sets named
allow_us_ipv4andallow_us_ipv6. - Populates the ipsets with the downloaded ranges.
- Inserts iptables/ip6tables rules at the top of the INPUT chain to drop packets not matching the ipsets.
Notes and safety tips
- If you provide
-p PORT, the rules will only affect the specified TCP port. Otherwise, all incoming ports are affected. - To remove the rules later, use the iptables/ip6tables commands printed by the script (they delete the DROP rules that reference the ipsets). For example:
sudo iptables -D INPUT -m set ! --match-set allow_us_ipv4 src -j DROP
sudo ip6tables -D INPUT -m set ! --match-set allow_us_ipv6 src -j DROP
- The script uses
wgetto fetch lists fromipdeny.com; if that service is unavailable the script will fail. - Review ipset and iptables rules after running to ensure expected behavior.
Contact / Support
Open an issue in this repository if you need help or find a bug.