Blokir Akses Negara Tertentu Di VPS
blokir akses negara lain di vps
* pertama install dulu white list negara Indonesia
apt update
apt install ipset iptables-persistent curl wget -y
(Kalau muncul pertanyaan:
Save current IPv4 rules?
Pilih YES)
BUAT FILE
• nano /root/full-firewall.sh
COPY PASTE SEMUA ini (ganti TOKEN & CHAT ID SERTA IP VPS)
________________________________
#!/bin/bash
BOT_TOKEN="ISI_TOKEN_KAMU"
CHAT_ID="ISI_CHAT_ID_KAMU"
MYIP="87.106.131.177"
echo "=== INSTALL PACKAGE ==="
apt update -y
apt install -y ipset iptables-persistent curl wget
echo "=== CLEAN OLD FIREWALL ==="
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
ipset destroy whitelist_id 2>/dev/null
echo "=== DOWNLOAD INDONESIA IP ==="
wget -q -O /tmp/id.zone http://www.ipdeny.com/ipblocks/data/countries/id.zone
ipset create whitelist_id hash:net -exist
ipset flush whitelist_id
for ip in $(cat /tmp/id.zone); do
ipset add whitelist_id $ip -exist
done
ipset add whitelist_id $MYIP -exist
echo "=== APPLY FIREWALL RULES ==="
# basic allow
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# port list
TCP_PORTS="22,80,109,443,8080,1194,7100,7300"
# log + drop tcp
iptables -A INPUT -p tcp -m multiport --dports $TCP_PORTS -m set ! --match-set whitelist_id src -j LOG --log-prefix "FW-DROP-TCP: "
iptables -A INPUT -p tcp -m multiport --dports $TCP_PORTS -m set ! --match-set whitelist_id src -j DROP
iptables -A INPUT -p tcp --dport 8081:9999 -m set ! --match-set whitelist_id src -j LOG --log-prefix "FW-DROP-TCP: "
iptables -A INPUT -p tcp --dport 8081:9999 -m set ! --match-set whitelist_id src -j DROP
iptables -A INPUT -p tcp --dport 400:900 -m set ! --match-set whitelist_id src -j LOG --log-prefix "FW-DROP-TCP: "
iptables -A INPUT -p tcp --dport 400:900 -m set ! --match-set whitelist_id src -j DROP
# log + drop udp
iptables -A INPUT -p udp --dport 1:65535 -m set ! --match-set whitelist_id src -j LOG --log-prefix "FW-DROP-UDP: "
iptables -A INPUT -p udp --dport 1:65535 -m set ! --match-set whitelist_id src -j DROP
iptables -P INPUT ACCEPT
netfilter-persistent save
echo "=== CREATE TELEGRAM MONITOR ==="
cat <<EOF > /root/fw-monitor.sh
#!/bin/bash
BOT_TOKEN="$BOT_TOKEN"
CHAT_ID="$CHAT_ID"
tail -Fn0 /var/log/kern.log | while read line; do
echo "\$line" | grep "FW-DROP" > /dev/null
if [ \$? = 0 ]; then
IP=\$(echo \$line | grep -oP 'SRC=\K[0-9.]+')
PORT=\$(echo \$line | grep -oP 'DPT=\K[0-9]+')
MSG="🚨 FOREIGN BLOCKED
IP: \$IP
Port: \$PORT
Server: \$(hostname)
Time: \$(date)"
curl -s -X POST https://api.telegram.org/bot\$BOT_TOKEN/sendMessage \
-d chat_id=\$CHAT_ID \
-d text="\$MSG" > /dev/null
fi
done
EOF
chmod +x /root/fw-monitor.sh
cat <<EOF > /etc/systemd/system/fw-monitor.service
[Unit]
Description=Firewall Telegram Monitor
After=network.target
[Service]
ExecStart=/root/fw-monitor.sh
Restart=always
User=root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable fw-monitor
systemctl start fw-monitor
echo "=== SET WEEKLY UPDATE ==="
(crontab -l 2>/dev/null; echo "0 3 * * 1 /root/full-firewall.sh") | crontab -
echo "=== DONE ==="
_____________________________
* Jalankan *
chmod +x /root/full-firewall.sh
bash /root/full-firewall.sh
LANJUT HAPUS FIREWALL YANG LAMA
Cara Cek Sekarang
Jalankan ini:
Copy code
Bash
iptables -L INPUT -n --line-numbers
Dan:
Copy code
Bash
ipset list
Kalau masih ada:
whitelist_id
Cara Paling Aman (Bersih Total)
Kalau mau tidak bentrok sama sekali, jalankan ini dulu sebelum install script baru:
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
ipset destroy whitelist_id 2>/dev/null
ipset destroy block_countries 2>/dev/null
netfilter-persistent save
Install FIREWALL Baru
apt update -y
apt install -y ipset iptables-persistent curl wget
Buat script
nano /root/block-country-firewall.sh
ISI DENGAN SCRIPT DIBAWAH GANTI TOKEN DAN ID TELEGRAM KALIAN:
#!/bin/bash
BOT_TOKEN="ISI_TOKEN_KAMU"
CHAT_ID="ISI_CHAT_ID_KAMU"
BLOCK_LIST="br cn sg bg co ph th ma sd za ml tn"
iptables -F
iptables -X
ipset destroy block_countries 2>/dev/null
ipset create block_countries hash:net -exist
echo "Downloading country IP blocks..."
for cc in $BLOCK_LIST; do
wget -q -O /tmp/$cc.zone http://www.ipdeny.com/ipblocks/data/countries/$cc.zone
for ip in $(cat /tmp/$cc.zone); do
ipset add block_countries $ip -exist
done
done
echo "Applying firewall rule..."
iptables -A INPUT -m set --match-set block_countries src -j LOG --log-prefix "COUNTRY-BLOCK: "
iptables -A INPUT -m set --match-set block_countries src -j DROP
iptables -P INPUT ACCEPT
netfilter-persistent save
# ===== TELEGRAM MONITOR =====
cat <<EOF > /root/country-monitor.sh
#!/bin/bash
BOT_TOKEN="$BOT_TOKEN"
CHAT_ID="$CHAT_ID"
CACHE="/var/log/country-block.log"
touch \$CACHE
tail -Fn0 /var/log/kern.log | while read line; do
echo "\$line" | grep "COUNTRY-BLOCK" > /dev/null
if [ \$? = 0 ]; then
IP=\$(echo \$line | grep -oP 'SRC=\K[0-9.]+')
PORT=\$(echo \$line | grep -oP 'DPT=\K[0-9]+')
NOW=\$(date +%s)
LAST=\$(grep "^\$IP " \$CACHE | awk '{print \$2}')
if [ -z "\$LAST" ] || [ \$((NOW-LAST)) -gt 600 ]; then
sed -i "/^\$IP /d" \$CACHE
echo "\$IP \$NOW" >> \$CACHE
GEO=\$(curl -s http://ip-api.com/json/\$IP)
COUNTRY=\$(echo \$GEO | grep -oP '"country":"\K[^"]+')
ISP=\$(echo \$GEO | grep -oP '"isp":"\K[^"]+')
MSG="🚫 COUNTRY BLOCKED
IP: \$IP
Country: \$COUNTRY
ISP: \$ISP
Port: \$PORT
Server: \$(hostname)
Time: \$(date)"
curl -s -X POST https://api.telegram.org/bot\$BOT_TOKEN/sendMessage \
-d chat_id=\$CHAT_ID \
-d text="\$MSG" > /dev/null
fi
fi
done
EOF
chmod +x /root/country-monitor.sh
cat <<EOF > /etc/systemd/system/country-monitor.service
[Unit]
Description=Country Firewall Monitor
After=network.target
[Service]
ExecStart=/root/country-monitor.sh
Restart=always
User=root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable country-monitor
systemctl start country-monitor
echo "INSTALL COMPLETE"