ClearOS Feature Request

GeoIP Blocking

0 votes
I can't find this anywhere in ClearOS, but I have used it on other firewall products.

Block all traffic going to port xxx
Allow traffic going to port xxx from 'country code' = US,CA,XL

whitelisting ip addresses with geoip is a great way of protecting exchange servers, web/ftp servers , etc

really wish ClearOS had the capability
Tuesday, March 09 2021, 05:39 PM
Share this post:
Responses (4)
  • Accepted Answer

    Wednesday, November 01 2023, 02:15 AM - #Permalink
    0 votes
    Yes, however it's a pain to figure out how to set up the firewall rules. Which countries' emails are allowed through and which are blocked? Do you use a whitelist or a blacklist? You could, I think, have separate rules for different ports, but that could get complicated. I am using the United States as an example, even though I am now based in the United Kingdom. Assuming you and your users never leave the country, you can decide to accept incoming emails from anywhere but prevent them from being collected from locations outside the United States. wordle today
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 10 2021, 02:36 PM - #Permalink
    0 votes
    Based on a forum thread (search "country block"), I created this howto. See what you make of it.

    And avoid lots of iptables rules of you go down your route. Ipset sets are way more efficient.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 10 2021, 02:02 PM - #Permalink
    0 votes
    I think that whitelisting would produce a smaller rule.

    The idea is to not block countries to all ports, but to block to specifics. For me, it is for Exchange. I need port 80 and 443 open for access to webmail and Remote outlook.
    but I could see users wanting this to stop hacking on ftp servers, ssh, rdp, and other. you might want to lock it down to a specific ip range or your country

    Block all on port 80
    Allow port 80 if country = US,CA,GB,XL

    I do this using another firewall product (Untangle), but I am moving back to ClearOS as I really like the email and content filtering.

    right now I am working on a bash script to do this (I have echo's to debug)

    # Define chain to allow a country

    echo "iptables -N Allow-Country-$1"
    while read y
    echo "iptables -A Allow-Country-$1 -s $y -j ACCEPT "
    done < $2
    echo "iptables -A Allow-Country-$1 -j DROP"

    echo "iptables -A INPUT -p tcp --dport 80 -j Allow-Country-$1

    execute like:
    ./ Canada

    this will create a new chain called Allow-Country-Canada and create 4700 CIDR range entries (Canada zone file) to allow, like

    I think that it would be lower resources on iptables to have 4700 whitelisted IP ranges than it would be to block 100's of thousands of ranges for multiple countries.

    I was going to do something similar on my Exchange server, but it seems like windows firewall doesn't process in order and the best you can do is block ip's.


    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, March 09 2021, 05:57 PM - #Permalink
    0 votes
    Agree but crafting the firewall rules is a PITA. Do you whitelist or blacklist e.g do you allow all mail from the US or block all mail from CN, RU etc? I suppose you could have multiple rules for multiple ports but it can get to be a pain to manage. I'm picking on the US but I live in the UK, but I am using this as an example. You may want to allow inbound e-mails from anywhere but block picking up e-mails from anywhere in the US because you know that you and your users never travel outside the US.
    The reply is currently minimized Show
Your Reply