Geo-Blocking: Country IP Range to CIDR
Convert country-level IP address ranges to CIDR notation for geo-blocking and geo-fencing. Learn how regional IP registries allocate address blocks.
Detailed Explanation
Geo-Blocking with IP Range to CIDR Conversion
Geo-blocking (or geo-fencing) restricts access to web resources based on the visitor's geographic location, identified by their IP address. Regional Internet Registries (RIRs) allocate IP blocks to countries, and these ranges need CIDR conversion for firewall rules.
Example: A Country IP Block
Range: 1.0.0.0 - 1.0.0.255
CIDR: 1.0.0.0/24 (APNIC - Australia)
How Country IP Ranges Work
Five RIRs manage IP address allocation:
| RIR | Region |
|---|---|
| ARIN | North America |
| RIPE NCC | Europe, Middle East, Central Asia |
| APNIC | Asia-Pacific |
| LACNIC | Latin America, Caribbean |
| AFRINIC | Africa |
Each RIR allocates blocks to Local Internet Registries (ISPs), which assign them to end users. Country-level IP databases aggregate these allocations.
Non-Aligned Country Ranges
Country allocations rarely align to single CIDR blocks. A country might have:
Range: 103.200.20.0 - 103.200.23.255
CIDR: 103.200.20.0/22 (1,024 IPs)
Range: 45.250.0.0 - 45.250.63.255
CIDR: 45.250.0.0/18 (16,384 IPs)
A single country may have hundreds or thousands of CIDR blocks.
Implementation Approaches
- Firewall rules: Add CIDR blocks to deny/allow lists
- CDN configuration: Cloudflare, AWS CloudFront offer built-in geo-blocking
- Web server config: Nginx
geomodule, Apachemod_geoip - Application-level: Check IP against a database in code
Important Considerations
- Country IP databases are updated frequently (monthly at minimum)
- VPN and proxy users can bypass geo-blocking
- Some IP blocks are shared across countries
- IPv6 adoption changes the landscape
- Batch mode in this tool helps process hundreds of ranges at once
Use Case
A compliance officer needs to block access to a financial application from specific countries per regulatory requirements. They download the country IP allocation list in range format and use batch mode to convert all ranges to CIDR blocks for the WAF configuration.