Asterisk security by Country

You can block traffic at both Apache or iptables level. I recommend iptables to save some resources. First, you need to get list of netblocks for each country. Simply visitthis page and download IP block files are provided in CIDR format. Use the following shell script: ISO="af cn" IPT=/sbin/iptables WGET=/usr/bin/wget EGREP=/bin/egrep SPAMLIST="countrydrop" ZONEROOT="/root/iptables" DLROOT="http://www.ipdeny.com/ipblocks/data/countries" cleanOldRules{ $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT } [ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT cleanOldRules $IPT -N $SPAMLIST for c in $ISO do tDB=$ZONEROOT/$c.zone $WGET -O $tDB $DLROOT/$c.zone SPAMDROPMSG="$c Country Drop" BADIPS=$(egrep -v "^#|^$" $tDB) for ipblock in $BADIPS do $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" $IPT -A $SPAMLIST -s $ipblock -j DROP done done $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST exit 0
 * 1) !/bin/bash
 * 2) Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
 * 1) Set PATH ###
 * 1) No editing below ###
 * 1) create a dir
 * 1) clean old rules
 * 1) create a new iptables list
 * 1) local zone file
 * 1) get fresh zone file
 * 1) country specific log message
 * 1) get
 * 1) Drop everything
 * 1) call your other iptable script
 * 2) /path/to/other/iptables.sh
 * 1) ///////////////////////////////// END OF SCRIPT

Save above script as root user and customize ISO variable to point out country name using ISO country names. Once done install the script as follows using crontab: @weekly /path/to/country.block.iptables.sh

To start blocking immediately type:
 * 1) /path/to/country.block.iptables.sh

And you are done with blocking the whole country from your server.

iptables geoip patch
Another, alternative to above shell script is to use geoip iptables patch. This is not standard iptables modules. You need to download patch and compile Linux kernel. The details of kernel compile and iptables patching are beyond the scope of this FAQ. This is left as an exercise to readers.
 * Grab geoipt patch from the official website.
 * Download and install Linux kernel and iptables source code.
 * Grab and install tool called patch-o-matic (required for geoip modules).
 * Finally, grab GEO IP database from MaxMind.

Extracted from: cyberciti