Skip to main content

CWP: How to Allow or Block Traffic by Country in the CSF Firewall

Country-level filtering in CSF uses the Maxmind GeoLite Country database to obtain CIDR (Classless Inter-Domain Routing) ranges for specific countries. Each CIDR range covers all the IP addresses assigned to that country.
There are a number of reasons why a server administrator may wish to block traffic from a specific country, with reducing bandwidth, minimizing exposure to security risks, and ensuring that a site’s content is viewable only in geographic locations where it is permitted among the most common. However, there are several important factors to consider before choosing to filter traffic at the country level:
A small percentage of unwanted traffic still may get through, and a small percentage of desired traffic could be blocked, because:
  • the CIDR range lists used for country-level blocks are not 100 percent accurate.
  • some Internet Service Providers and web services use non-geographic IP addresses for their clients.
  • proxy services and virtual private networks can be used to mask a visitor’s true geographic location.
  • Country-level filtering applies only to incoming connections. Outbound traffic is not affected.
  • Using country-level filtering will negatively impact performance and you will notice slower response times on your websites. This is due to the sheer size of the CIDR range lists (the list for the U.S. is 621K in plain text and contains more than 37,000 entries) and the fact that the firewall must check each incoming IP address against the chosen list(s).
Deny Access by Country Code
CSF does not recommend the use of country-level blocks on any VPS or small server unless the CIDR range for the chosen country is very small. The use of a large-range country block on a small server or VPS could slow the server to the point that it becomes inaccessible.
On the Firewall Configuration page, scroll down to the Country Code Lists and Settings section.
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = "BZ,CN,US,GB" 
CC_DENY field will block all port(s) for mentioned country .
Note: At least one of ConfigServer’s servers is in Germany; blocking that country could prevent CSF from being able to update and display an error on the ConfigServer Security&Firewall page in WHM.
Allow Traffic by Country Code
Note that CSF has two separate “Allow” sections:
  1. CC_ALLOW actually opens the firewall to all traffic on all ports from the listed countries, bypassing any port and protocol rules in place. It should not be used.
  2. CC_ALLOW_FILTER allows only traffic from the specified country or countries, but respects the port and packet rules elsewhere in the firewall configuration. This is the preferred method for allowing traffic by country code.
N.B: CC_ALLOW_FILTER accepts two-letter country codes, such as “US” for the United States of America, “GB” for Great Britain, and “DE” for Germany.
Multiple countries can be comma separated with no spaces in between, such as “US,GB,DE” to deny access to the US, Great Britain, and Germany.
You can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW = "DE"
1.Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2.On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.

Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …