Skip to content
/ cidre Public

A CLI tool for fetching and managing CIDR IP ranges from RIRs with firewall integration.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vulnebify/cidre

BranchesTags

Repository files navigation

demo

CIDRe is a CLI tool that fetches daily updated IP allocations from Regional Internet Registries (RIRs), compiles them into country-based CIDR files, and allows easy firewall management.

🔹 Supports AFRINIC, APNIC, ARIN, LACNIC, RIPE NCC
🔹 Daily automatic CIDR updates in the repository
🔹 Merges and optimizes CIDR blocks for efficiency
🔹 Firewall integration (UFW & iptables /w ipset support)
🔹 IPv4 & IPv6 compatible

⚡ Quick start

1️⃣ Install CIDRE

pip install cidre-cli

2️⃣ Pull & merge CIDR ranges

cidre pull --merge
  • Downloads the latest CIDR allocations from RIRs.
  • Merges overlapping IP ranges for efficiency.

3️⃣ Block specific countries

# UFW is better suited for small CIDR inputs
cidre deny ir kp --firewall ufw
  • Blocks Iran (IR), and North Korea (KP) in UFW.
  • Requires ufw installed (sudo apt install ufw).
# iptables is better suited for large CIDR inputs
cidre deny ru ir kp --firewall iptables
  • Blocks Russia (RU), Iran (IR), and North Korea (KP) in iptables using ipset.
  • Requires ipset and iptables installed (sudo apt install ipset iptables).

🛠️ Installation

1️⃣ Install via PyPI

pip install cidre-cli

2️⃣ Alternative: clone the repository

git clone https://github.com/vulnebify/cidre.git
cd cidre
python3 -m venv .venv
source .venv/bin/activate
pip install .

⚡ Usage

1️⃣ Pull and compile CIDR ranges

Fetches the latest IP allocation data from all RIRs and compiles per-country CIDR blocks:

cidre pull --merge
  • --merge: Merges overlapping IP ranges for efficiency.
  • --proxy <proxy>: Proxies connection to RIRs.
  • --cidr-store <path>: Specifies CIDRs' custom storage directory. Default ./output/cidr/{ipv4|ipv6}/{country_code}.cidr.

2️⃣ Action on countries

Allow|deny|reject specific countries' CIDR blocks in specified firewall:

cidre allow|deny|reject ru ir kp
  • --firewall ufw|iptables: Firewall to apply rules. Default ufw.
  • --cidr-store <path>: Specifies CIDRs' custom storage directory. Default ./output/cidr/{ipv4|ipv6}/{country_code}.cidr.

⚠️ NOTE: iptables firewall DO NOT persist rules by default

To ensure iptables and IPSet rules persist after a reboot, follow these steps:

# 1️⃣ Save rules based on the firewall method:
# - For iptables + IPSet:
sudo ipset save > /etc/ipset.rules
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

# 2️⃣ Restore firewall rules on boot:
# - For iptables + IPSet:
sudo bash -c 'echo "ipset restore < /etc/ipset.rules" >> /etc/rc.local'
sudo chmod +x /etc/rc.local

# 3️⃣ Reboot and verify:
sudo reboot
sudo ipset list
sudo iptables -L -v -n

📄 License

This project is licensed under the MIT License.

🙌 Inspired by

CIDRE was inspired by herrbischoff/country-ip-blocks and aims to provide an automated alternative with firewall integration.

🤝 Contributions

PRs are welcome! Feel free to fork the repo and submit pull requests.

📧 Contact

For any questions, open an issue or reach out via GitHub Discussions.

About

A CLI tool for fetching and managing CIDR IP ranges from RIRs with firewall integration.

Topics

firewall iptables cidr iptables-rules ufw arin apnic lacnic afrinic ufw-firewall iptables-firewall ripencc countries-data

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 11

v1.1.5 Latest
Mar 18, 2025
+ 10 releases

Languages