Cloud Firewall: Limit Access to Only My Country

Linode Staff

Hello Community,

I am seeking advice on how I can limit access to my Linode. I would like to prevent anyone outside of my country from accessing my Linode. Can I utilize the Cloud Firewall to do this?

If not, what is the best option to accomplish this?

Thank you!

3 Replies

Can I utilize the Cloud Firewall to do this?

I would say no.

If not, what is the best option to accomplish this?

You'll probably have to use iptables/nftables and ipset to do this. The idea would be to build an ipset of the networks you want to allow and then write a rule that blocks all networks NOT in the ipset.

Building that set is harder than it sounds. Trust me on this…

-- sw

P.S. When I was doing something similar, I discovered an ASN that was in Wyoming or Montana that was operated by a company in China. Were those networks American or Chinese? The Russians operate ASNs in Gibraltar. Are those networks Russian or European?

The Cloud Firewall, unlike nftables or iptables/ipset, is limited to 255 ip blocks and/or individual ip addresses. It's pretty unlikely your country only as 255 ip networks. You have to do as stevewi suggests and use a firewall on your vps or use something like Cloudflare in front of your vps. If I'm not mistaken Cloudflare does have some option to block networks by the country they are in, that would be the easiest way if CF supports the service you're hosting on your vps.

Also networks larger than around /22 or so and larger often have smaller blocks in different countries. So you probably can't just slap everything into some large /8 networks and call it a day. As stevewi says it's not easy for one to do.

Also networks larger than around /22 or so and larger often have smaller blocks in different countries. So you probably can't just slap everything into some large /8 networks and call it a day.

There are several problems here:

-- Your list of blocked networks is only going to be as good as the source data you use. If you're thinking about using the free version of GeoIP from http://maxmind.com, I can tell you right now that the granularity is not very good. The pay-for version is better…as is the data from http://ipinfo.io . However, they're pay-for…and expensive…

-- If you're going to gather data from multiple sources, you need to make sure that:

  • none of the networks you've accepted into the set overlap -- if they do, you want to condense the set of overlapping networks into a minimum set of non-overlapping networks before insertion into the set (this is a very time-consuming, compute-intensive process);
  • any single nodes that aren't contained in any networks you've already accepted must be inserted into the set (a single node takes up as much space in the set as a network);
  • you need a way to exclude nodes/networks from the set that might be normally included (like, say, your employer's division in Poland or the contractor who works remotely from Tokyo);
  • you need to remove (or include depending on the sense of your rule) all "magic" networks defined by the IETF for specific purposes (so-called "bogons"); and
  • you need to handle IPv6 (which means you need two sets -- one for IPv4 and one for IPv6…and there are IPv6 bogons too).

-- Once you have your sets (you need two!), they will have to live in kernel memory with the firewall. This reduces the amount of memory available to your Linode for normal operations. Depending on the size of your sets, this can be very debilitating.

IMHO, what you're trying to do is really a fool's errand. You can produce something that will work but, I can guarantee you, it won't work very well (you'll run into lots of corner cases) and it will have a very high cost in terms of sysadmin time/effort and maintenance.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct