Block a country using iptables

I live in a country that probably doesn't bring you much profit. Please don't block me just because of where I live.

In the past I've wanted to mass-block third world countries from my email server to reduce spam. After seeing the way libertarians in the third world cling to internet access, I'm more reluctant to create barriers.

I recently had to block every single APNIC /8 using iptables. Ideal solution? No, but the amount of DDoS traffic and brute force intrusion attempts went to virtually nothing. It also upsets me that with the sheer amount of malicious activity coming from APNIC assigned IP's, ARIN decided to give APNIC the last two /8's

There is a far easier and more effective solution. Iptables has the capacity to do port specific blocking. You're only interested in safe-guarding port 22 (SSH). So restrict that port to IP addresses from which you will be connecting to it. I have a static IP, so that's easy. But if you have a dynamic IP, you can make that work too through DDNS or by being less restrictive and sticking to the ip block assigned to your ISP.<p>If you need to handle brute force and hacking attempts over port 80, well, put your password protected stuff in a different directory. Script kiddies always look in the same places =)

Is there any performance impact of having so many rules?

I have a script that blocks all APNIC traffic in iptables on my personal computers. I have seen a 99.98% reduction in hacking attempts after implementing it.

you can't relay on ipdeny.com in production. Quick check shows that i.e. Israel's netblocks 128.139.0.0 and 192.117.80.0 aren't listed there.