ClearOS Feature Request
GeoIP Blocking
I can't find this anywhere in ClearOS, but I have used it on other firewall products.
Block all traffic going to port xxx
Allow traffic going to port xxx from 'country code' = US,CA,XL
whitelisting ip addresses with geoip is a great way of protecting exchange servers, web/ftp servers , etc
really wish ClearOS had the capability
Block all traffic going to port xxx
Allow traffic going to port xxx from 'country code' = US,CA,XL
whitelisting ip addresses with geoip is a great way of protecting exchange servers, web/ftp servers , etc
really wish ClearOS had the capability
In Firewall
Share this post:
Responses (4)
-
Accepted Answer
Yes, however it's a pain to figure out how to set up the firewall rules. Which countries' emails are allowed through and which are blocked? Do you use a whitelist or a blacklist? You could, I think, have separate rules for different ports, but that could get complicated. I am using the United States as an example, even though I am now based in the United Kingdom. Assuming you and your users never leave the country, you can decide to accept incoming emails from anywhere but prevent them from being collected from locations outside the United States. wordle today -
Accepted Answer
Based on a forum thread (search "country block"), I created this howto. See what you make of it.
[edit]
And avoid lots of iptables rules of you go down your route. Ipset sets are way more efficient.
[/edit] -
Accepted Answer
I think that whitelisting would produce a smaller rule.
The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country
Block all on port 80
Allow port 80 if country = US,CA,GB,XL
I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.
right now I am working on a bash script to do this (I have echo's to debug)
#!/bin/bash
# Define chain to allow a country
echo "iptables -N Allow-Country-$1"
while read y
do
echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
done < $2
echo "iptables -A Allow-Country-$1 -j DROP"
echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1
execute like:
./Allow-geoip.sh Canada ca.zone
this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like 216.181.240.0/21
I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.
I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.
Thoughts?
Joe -
Accepted Answer
Agree but crafting the firewall rules is a PITA. Do you whitelist or blacklist e.g do you allow all mail from the US or block all mail from CN, RU etc? I suppose you could have multiple rules for multiple ports but it can get to be a pain to manage. I'm picking on the US but I live in the UK, but I am using this as an example. You may want to allow inbound e-mails from anywhere but block picking up e-mails from anywhere in the US because you know that you and your users never travel outside the US.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »