Obviously when you are the owner of a website, you’d want to allow visitors from all over the world to access your website. However, there are times when there is a need to block visitors from some countries on a certain webpage or vice versa. One good example is when you host a local contest online and you only want people from your own country to participate. Allowing visitors from your country while blocking the rest is the way to go, so there is no need to manually prune ineligible participants when choosing the winner. If you don’t have a powerful server that can handle the load created by unknown or unimportant bots, it is also best to temporarily block them from accessing your website.
The easiest way to block visitors from a country is by using .htaccess because we can do it ourselves through FTP without installing or messing with the iptables firewall rules. Here we have different places to obtain a generated country IP list in CIDR format for free and another method using a cloud-based web application firewall.
An important note if you want to block visitors by country using htaccess. Make sure you periodically generate a new list because the IP address database changes from time to time or else you might either miss or wrongly block visitor from other countries.1. IP2Location
IP2Location has been around since 2002 selling IP geolocation databases. Other than that, they also offer a free database firewall list by country to either allow everyone in the IP address list and ban everyone else, or ban the IP addresses and allow everyone else. To generate the block list, select IPv4, select the country (if you require more than 1, you’ll need to sign up for a free account that allows up to 30 countries) and choose Apache .htaccess deny from the drop down menu. You will get to download a text file which is to be uploaded to your homepage’s directory as .htaccess. You’ll need to rename the file to .htaccess after uploading the text file because you can’t do it in Windows.
If you want to allow access only to specific countries, select the “Apache .htaccess allow” option instead. Although it is not mentioned if the free country IP database has limited or full accuracy, most of the time the free version is limited as it’s not constantly being updated. There is also no mention of when the database was last updated.
2. Country IP Blocks
Similar to IP2Location, Country IP Blocks also sells premium GeoIP databases and also offers free generation of an access control list to block or allow visitors from specific countries. To generate the block list, select the countries followed by selecting either .htaccess deny or .htaccess allow. Clicking the Create ACL button will instantly generate the data to be copied to the .htaccess file.
Country IP Blocks did mention that the generated data can be 30-60 days old whereby the purchased membership has access to the most current data.
BlockACountry.com will be quite useful if you implement country blocking for a few websites because it generates block lists through profiles. You must first sign up for a free account. After logging in, you’ll need to provide a website address and select the country that you want to block, then you’re allowed to download the block list. Whenever you don’t recall the country that you’ve blocked, simply login to BlockACountry and click on the Edit link for the website.
IPdeny used to have an online firewall rule generator but it is now offline. You can however still download the IP blocks according to countries and make some minor modification so that it will be compatible with an Apache .htaccess allow or block list. First download the country zone file from IPdeny’s website. Do not open the text file with Notepad because the “\n” line breaks are not recognized in Notepad. Use Wordpad or third party programs such as Notepad++ to open it. First, you need to add these 3 lines to the top of the data.
<Limit GET HEAD POST>
allow from all
Next, you need to add a prefix “deny from” followed by the IP blocks. Instead of manually adding the prefixes, you can use TextMechanic to do it. Copy and paste the IP blocks to the top box. Then add “deny from ” to the box that says “Add this prefix into the beginning of each line”. Make sure that there is a space after the word “from”. Finally click the “Add Prefix and/or Suffix” button.
Copy all the data from textmechanic.com and paste it into the text file replacing the old IP blocks. Finally, add a closing tag of </Limit> at the end of the list. You now have a fully working block list based on IPdeny’s IP blocks.
5. Country IP Range from RIPE
Ivan Erben has written a small and useful python script that can automatically download and parse ranges from RIPE (RIPE officially administers IP addresses). He has also scheduled the script to automatically run on his server every day at 12:00 and the generated IP blocks are available to download for free.
This python script is brilliant because the IP blocks are from the official group that governs the use of IP address and it’s updated daily. The only thing is you’ll need to follow the instructions in method number 4 to make the list Apache compatible.
6. Software77 IP to Country Database
Another place to obtain country IP listings in CIDR format is software77.net. It is a webhosting and domain name registration company but they offer a free IP to Country database. At the right hand sidebar, select the country that you want to obtain the IP address list, select CIDR format and click Submit.
At the next page refresh, a report will be made available where you can copy the data. The IP address list is also a plain CIDR format, so you’ll need to make it Apache .htaccess compatible as well.
You can find IP <-> Country databases at LUDOST.NET for free. This free service collects IP data from multiple sources mainly from RIPE. A good thing at LUDOST.NET is they offer several output format templates that are compatible with iptables, ipfw, Cisco/Apache/Ngix ACL.
To generate an IP database, first you need to input a list of countries based on the two letter country code (separated by space if you need to input multiple country codes), select the template and click the “Submit query” button. If you want to block visitors from countries using .htaccess, select the “apache-deny” template. When the data has been generated, you can save it to your computer by pressing Ctrl+S, upload the file to your web server and rename it to .htaccess.
Incapsula is one of the most popular cloud-based web application firewalls with the aim of protecting your website against attack and also to speed it up at the same time. There are a couple of plans but the free one is good enough to block visitors from a country. After setting up your website to use Incapsula, go to Settings > Security > Block Specific Sources. You can either type the name of the country in the box or click the “Select from List” where you get to choose from a list or by clicking on a world map. Finally, click on the Save button located at the top right.
The country blocking takes effect nearly instantly after saving the changes. The blocked user will see an access denied error with the error code 16 and an additional message “This request was blocked by the security rules”.
Additional Notes: For CloudFlare, you can find an option in “Threat Control” to block visitors from a country but be informed that this feature doesn’t fully ban the visitor from accessing the website. It merely provides an additional security check through CAPTCHA verification. The visitor can still access the website after correctly solving the CAPTCHA. CloudFlare did mention that they may implement full blocking in near future.