Skip to content

vulnebify/cidre

BranchesTags

Repository files navigation

CIDRE

CIDRe is a CLI tool that fetches daily updated IP allocations from Regional Internet Registries (RIRs), compiles them into country-based CIDR files, and allows easy firewall management. Daily automatic CIDR updates in the repository.

Compile CIDRs Publish Release to PyPI

asciicast

Quick start

Install CIDRE

pip install cidre-cli

Pull & merge CIDR ranges

cidre cidr pull --merge
  • Downloads the latest CIDR allocations from RIRs.
  • Merges overlapping IP ranges for efficiency.

Block specific countries

# UFW is better suited for small CIDR inputs
cidre firewall deny ir kp --firewall ufw
  • Blocks Iran (IR), and North Korea (KP) in UFW.
  • Requires ufw installed (sudo apt install ufw).
# iptables is better suited for large CIDR inputs
cidre firewall deny ru ir kp --firewall iptables
  • Blocks Russia (RU), Iran (IR), and North Korea (KP) in iptables using ipset.
  • Requires ipset and iptables installed (sudo apt install ipset iptables).

Installation

From PyPI

pip install cidre-cli

From GitHub

git clone https://github.com/vulnebify/cidre.git && cd cidre && python3 -m venv .venv && source .venv/bin/activate && pip install .

Commands

cidr pull

Command Description
cidre cidr pull Fetches the latest IP allocation data from all RIRs
cidre cidr pull --merge Merges overlapping IP ranges for efficiency. Optional.
cidre cidr pull --proxy PROXY Proxies connection to RIRs. Optional.
cidre cidr pull --cidr-store PATH Specifies CIDRs' custom storage directory. Default: ./output/cidr

cidr count

Command Description
cidre cidr count Counts amount of IPs per country
cidre cidr count US CN Counts amount of IPs by country code (ISO 3166-1 alpha-2 code)
cidre cidr count --cidr-store PATH Specifies CIDRs' custom storage directory. Default: ./output/cidr

firewall allow|deny|reject

Command Description
cidre firewall allow Apply allow rule to specified firewall
cidre firewall deny Apply deny rule to specified firewall
cidre firewall reject Apply reject rule to specified firewall
cidre firewall reject --firewall ufw Firewall to apply rules. Options: ufw, iptables. Default: ufw
cidre firewall reject --cidr-store PATH Specifies CIDRs' custom storage directory. Default: ./output/cidr

⚠️ NOTE: iptables firewall DO NOT persist rules by default

To ensure iptables and IPSet rules persist after a reboot, follow these steps:

# Save rules based on the firewall method:
# - For iptables + IPSet:
sudo ipset save > /etc/ipset.rules
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

# Restore firewall rules on boot:
# - For iptables + IPSet:
sudo bash -c 'echo "ipset restore < /etc/ipset.rules" >> /etc/rc.local'
sudo chmod +x /etc/rc.local

# Reboot and verify:
sudo reboot
sudo ipset list
sudo iptables -L -v -n

License

This project is licensed under the MIT License.

Inspired by

CIDRE was inspired by herrbischoff/country-ip-blocks and aims to provide an automated alternative with firewall integration.

Contributions

PRs are welcome! Feel free to fork the repo and submit pull requests.

Contact

For any questions, open an issue or reach out via GitHub Discussions.

About

A CLI tool for fetching and managing CIDR IP ranges from RIRs with firewall integration.

Topics

firewall iptables cidr iptables-rules ufw arin apnic lacnic afrinic ufw-firewall iptables-firewall ripencc countries-data

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

18 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 14

v2.1.1 Latest
Jul 15, 2025
+ 13 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages