M4 Blocked Countries

From Kolmisoft Wiki
Jump to navigationJump to search

Description

Blocked Countries is a security abstraction over the iptables. The functionality is used to block entire countries from accessing your Servers.

Usage

Blocked Countries is only available to the System Admin.

Got to SECURITY > Blocked Countries.

M2 Blocked Countries Menu.png

On the newly opened page, a list of Country names is present along with their ISO 3166 Codes.

M2 Blocked Countries.png

The to-be-blocked Countries can be checked and after clicking the Save button at the bottom of the list they will be blocked.
NOTE: Depending on the number of Countries checked the process might take up to 4-5 minutes of time.



How it works

The list of the to-be-blocked Countries is stored in the Database which is shared among the Servers. Each Server will use the Database to update its iptables.

The aggregated IP addresses for each Country are downloaded from ipdeny.com and added to the IPSets which are then included in the iptables.

Every month the Servers will renew their IP address Database to have the latest data.

NOTE: Each country Blacklist has a default Whitelist for misconfiguration and emergency cases. This list includes the Server IP, Kolmisoft Support access, the Server DNS Servers, the ipdeny.com API, the MOR Servers, and the ACCEPT rule for all the SSH traffic on port 22.



Scope and Limitations

There is a chance that on some Servers the functionality may not be installed because of Kernel's incompatibility to support the IPSet.

For this to work your Kernel version must be greater or equal to 2.6.32 and must support the ip_set and ip_set_hash_netport modules.

If the Blocked Countries functionality is not installed on any of the Servers, the GUI will show a warning (this means that the Kernel does not support the IPset).

Also, the Servers must allow the HTTP connections which are needed for file download.



See also