Attention: We are retiring the IIS.NET Community Blogs. Learn more >

Generating configuration to allow/deny access to countries

There have been few requests on forums where people wanted to control access to sites based on country from where request originated. We recommended people to use IP restriction module functionality which required people to add IP address ranges of the countries they want to grant or deny access in ipSecurity section. This is easier said than done. There are a number of IP-to-country mapping lists available for free and updated frequently. These lists are usually in CSV format and identify countries (and sometimes even regions in the country) to which a particular IP-range is assigned. One such list can be downloaded from here. Entries in the CSV file go from 0 to max 32-bit unsigned integer. As the IP ranges assigned to a country are not contiguous, there are many entries (sometimes thousands) for one country. IIS7 IPRestriction module let you specify an IP-range using start-IP address and subnet mask. To move a single entry from CSV to IIS configuration you are required to create start IP address from a 32-bit integer and also create a subnet mask from IP-range both of which are not trivial. Also because most countries have hundreds of IP ranges assigned to them, going through CSV picking up these entries and then calculating start IP address and subnet mask manually is extremely difficult. Few days ago I wrote a script which does this for you. You can download the IP-to-country mapping list from here, unzip it (to say ip-to-country.csv) and then use the attached script (save ipres.js.txt as ipres.js).

To see list of countries for which IP ranges are given in CSV, use “cscript.exe //nologo ipres.js /f ip-to-country.csv /l”
To generate ipSecurity configuration to block access to a country, use “cscript.exe //nologo ipres.js /f ip-to-country.csv /d FewCharsToFilterCountry”
To generate ipSecurity configuration to grant access to a country, use “cscript.exe //nologo ipres.js /f ip-to-country.csv /a FewCharsToFilterCountry”
To find a particular IP address in this list, use "cscript.exe //nologo ipres.js /f ip-to-country.csv /g ip-address"

You can specify more than one country separated by commas to filter on. Also you can use ‘*’, ‘?’ wildcard characters in country name filter. Script will dump the configuration on the console which you can paste in ipSecurity section. Feel free to change the script to make it emit adsutil.vbs calls to add entries to IIS6 metabase.

In IIS7, ipSecurity section is locked by default. If you want to block access to a site, unlock ipSecurity section and add configuration for the site only. If you are adding the entries in web.config, you can use configSource option to keep the ipSecurity configuration in a separate file. Keep in mind that changes to configSource target file are not automatically picked up unless web.config file containing configSource attribute is changed. Also if you run into web.config file size limit, you can increase it by changing MaxWebConfigFileSizeInKB as specified in this blog.

Hope this helps.
Kanwal

No Comments