A big thanks goes out to the obligatorymoniker and his script for programmatically adding IP restrictions to IIS6. I was looking for a better script to add IP restrictions. My previous script added the restrictions one IP range at a time. This script was adequate for a small number of IP restrictions but recently I was asked to add IP restrictions for every country we do not ship to. We had credit card fraud transaction from one of these countries and the boss was mad. After using Perl and a CIDR to merge the adjacent networks, I still had over 18,000 IP ranges to deny. Using my old script I tried to add these IP ranges to our test system this took over an hour to load. Your script loads the ranges in a couple of seconds. Here is how I did this:
- I went to http://www.countryipblocks.net/ to get the IP ranges I wanted to block. Beware these ranges include bogon networks(e.g. 192.168.0.0). The first time I applied the IP ranges I blocked myself out.
- I used the perl script below to merge the networks.
- I used the obligatorymoniker IP Security.vbs script to load the ranges. You will have to change the
"IIS://localhost/smtpsvc/1"to the site you want to add the IP restrictions to.
use Net::CIDR::Lite;
use NetAddr::IP::Lite;
my $cidr = Net::CIDR::Lite->new;
# Disallow IPs
open (IPDISALLOW, "ip_disallow.txt") || die "couldn't open the file!";
while ($record = <IPDISALLOW>) {
if (substr($record,0,1) != '#'){
#print $record;
$cidr->add($record);
}
}
close(IPDISALLOW);
#print "$_\n" for $cidr->list;
foreach ($cidr->list) {
my $ip = new NetAddr::IP::Lite $_;
#print "The address is ", $ip->addr, " with mask ", $ip->mask, "\n" ;
print $ip->addr, ",", $ip->mask,"$_\n";
}