Ubuntu – How to Block Visitors by Country with ‘ufw’


You want to allow/deny incoming SSH connections to your server, based on originating country. Blocking needs to be done at the host OS.


You can configure ‘ufw’ to deny connections based on source IP subnets. You can get IP subnets for a specific country from IP2location.com.


  1. Go to https://www.ip2location.com/free/visitor-blocker.
  2. Near the end of the page, under “Download List”, choose “Country”, and “Output Format” as “CIDR”, and save the file.
  3. Copy the file to your Linux host. Let’s say to your home directory. And the file name is cidr-singapore.txt.
  4. Run the following bash command from your host’s home directory, to add the rules (modify the port number as needed):
cat cidr-singapore.txt | grep -v ^# | while read subnet; do sudo ufw allow proto tcp from $subnet to any port 22; done
  1. Check the status of your ufw rules again.
sudo ufw status

Short notes on Linux Libraries

Libraries are the compiled code that is usually incorporated into a programer at a later time.

  • Three types: Static Libraries, Shared Libraries, and Dynamically Loaded Libraries
  • Static libraries are a collection of normal object files.
  • They usually ends with “.a”.
  • Collection is created with “ar” command.
  • Shared libraries are loaded at program start-up and shared between programs.
  • Dynamically loaded libraries can be loaded and used at any time while a program is running.
  • DL libraries are not really in any kind of library format.
  • Both static and shared libraries can be used as DL libraries.

Linux Processes and CPU Performance

In Linux, a process can be either:

  • runnable, or
  • blocked (awaiting some events to complete)

When it’s runnable, the process is in competition with other processes for CPU time. A runnable process may or may not be consuming CPU time. It is the CPU scheduler that decides which process to run next from the runnable processes list. The processes form a line, known as run queue, when they are waiting to use the CPU.

When it’s blocked, it may mean it’s waiting for data from IO device or the results of a system call.

System usually shows the load by totalling the running processes and the runnable processes.

When it comes to multitasking, the OS can be:

  • cooperative multitasking, or
  • preemptive multitasking

In preemptive multitasking, scheduler gives the processes time slices for CPU. The process will be involuntarily suspended after it has consumes the allocated time. It prevents one process from monopolizing the available CPU time.

In cooperative multitasking, the process will not stop running until it is voluntary. When it suspends itself, it is called yielding. The scheduler cannot make decision how long the process should run.

Starting from kernel 2.5, Linux gets itself a new scheduler, O(1). Now it’s been replaced with CFS, as I’ve written about it in my earlier posts.

Tools to view the CPU performance
I usually use these tools to check:

  • vmstat
  • top

Those tools are quite basic, yet are able to produce pretty good information, and they come with almost every distro.

vmstat, I would check the number interrupts fired (in), the number of context switches (cs), as well as CPU utilization such as User (us), System (sy), Idle (id). I expect to see lower “cs” than “in”. I’ll try to explain the context switches and the interrupts in my future posts. For the time being, kindly google for them.

top, version 3 produces more stats. We can check the states of the processes, as well as the user cpu stats, system cpu stats (softirq, iowait, irq).

Linux Package Management

I always like to play around with new distros that I can find from distrowatch.com. Gentoo being my primary distribution, I have Arch as my second distribution. Arch also offers the flexible system. Almost every linux systems are the same in functionality and the features, and from as far as I can see, the only difference arethat how they implement the front-ends, and how they manage the packages.

With Gentoo, I am not being fancied by easy or pretty front-ends (you can say Gentoo text output is quite colorful), but I’m more interested in how to add/remove/update new software package onto the system. I don’t think anyone will content with the packages that comes with the distro. Package Management offers various ways to install/remove the software as well as update one package or the whole system. It also allows us to select software repositories which we download the packages from. These are some package management systems that usually tied to a distro and its variants:

apt-get for Debian, Ubuntu, etc.
emerge for Gentoo, Sabayon
yum for Fedora, etc.

For more information about the package management systems for linux distributions, you can always refer to those good documents: