Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Block access to all IPs, but one + firewall admin problem

Block access to all IPs, but one + firewall admin problem

Scheduled Pinned Locked Moved Solved Support
networkingfirewall
8 Posts 6 Posters 1.6k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • potemkin_aiP Offline
    potemkin_aiP Offline
    potemkin_ai
    wrote on last edited by girish
    #1

    I was wondering if I could achieve blocking the access to the server for everyone, but one IP and added the following list via firewall interface, adding all networks - from 1 to 255 with an /8 mask (below).

    It was reflected accordingly at blocklist.txt, but I can't now get to the Cloudron admin part (https://my.server/) - it's just loading forever - 'Cloudron is offline, reconnecting'.

    The whole machine is also getting quite unresponsive.

    P.S. Admin page was nice enough, to make sure I didn't block the server address's network, so I don't believe that is the problem.

    Removing blocklist.txt and rebooting solved the issue, but I still don't know how to close the access to the server - any help would be much appreciated!

    1.0.0.0/8
    2.0.0.0/8
    3.0.0.0/8
    4.0.0.0/8
    5.0.0.0/8
    6.0.0.0/8
    7.0.0.0/8
    8.0.0.0/8
    9.0.0.0/8
    10.0.0.0/8
    11.0.0.0/8
    12.0.0.0/8
    13.0.0.0/8
    14.0.0.0/8
    15.0.0.0/8
    16.0.0.0/8
    17.0.0.0/8
    18.0.0.0/8
    19.0.0.0/8
    20.0.0.0/8
    21.0.0.0/8
    22.0.0.0/8
    23.0.0.0/8
    24.0.0.0/8
    25.0.0.0/8
    26.0.0.0/8
    27.0.0.0/8
    28.0.0.0/8
    29.0.0.0/8
    30.0.0.0/8
    31.0.0.0/8
    32.0.0.0/8
    33.0.0.0/8
    34.0.0.0/8
    35.0.0.0/8
    36.0.0.0/8
    37.0.0.0/8
    38.0.0.0/8
    39.0.0.0/8
    40.0.0.0/8
    41.0.0.0/8
    42.0.0.0/8
    43.0.0.0/8
    44.0.0.0/8
    45.0.0.0/8
    46.0.0.0/8
    47.0.0.0/8
    48.0.0.0/8
    49.0.0.0/8
    50.0.0.0/8
    51.0.0.0/8
    52.0.0.0/8
    53.0.0.0/8
    54.0.0.0/8
    55.0.0.0/8
    56.0.0.0/8
    57.0.0.0/8
    58.0.0.0/8
    59.0.0.0/8
    60.0.0.0/8
    61.0.0.0/8
    62.0.0.0/8
    63.0.0.0/8
    64.0.0.0/8
    65.0.0.0/8
    66.0.0.0/8
    67.0.0.0/8
    68.0.0.0/8
    69.0.0.0/8
    70.0.0.0/8
    71.0.0.0/8
    72.0.0.0/8
    73.0.0.0/8
    74.0.0.0/8
    75.0.0.0/8
    76.0.0.0/8
    77.0.0.0/8
    78.0.0.0/8
    79.0.0.0/8
    80.0.0.0/8
    81.0.0.0/8
    82.0.0.0/8
    83.0.0.0/8
    84.0.0.0/8
    85.0.0.0/8
    86.0.0.0/8
    87.0.0.0/8
    88.0.0.0/8
    89.0.0.0/8
    90.0.0.0/8
    91.0.0.0/8
    92.0.0.0/8
    93.0.0.0/8
    94.0.0.0/8
    95.0.0.0/8
    96.0.0.0/8
    97.0.0.0/8
    98.0.0.0/8
    99.0.0.0/8
    100.0.0.0/8
    101.0.0.0/8
    102.0.0.0/8
    103.0.0.0/8
    104.0.0.0/8
    105.0.0.0/8
    106.0.0.0/8
    107.0.0.0/8
    108.0.0.0/8
    109.0.0.0/8
    110.0.0.0/8
    111.0.0.0/8
    112.0.0.0/8
    113.0.0.0/8
    114.0.0.0/8
    115.0.0.0/8
    116.0.0.0/8
    117.0.0.0/8
    118.0.0.0/8
    119.0.0.0/8
    120.0.0.0/8
    121.0.0.0/8
    122.0.0.0/8
    123.0.0.0/8
    124.0.0.0/8
    125.0.0.0/8
    126.0.0.0/8
    127.0.0.0/8
    128.0.0.0/8
    129.0.0.0/8
    130.0.0.0/8
    131.0.0.0/8
    132.0.0.0/8
    133.0.0.0/8
    134.0.0.0/8
    135.0.0.0/8
    136.0.0.0/8
    137.0.0.0/8
    138.0.0.0/8
    139.0.0.0/8
    140.0.0.0/8
    141.0.0.0/8
    142.0.0.0/8
    143.0.0.0/8
    144.0.0.0/8
    145.0.0.0/8
    146.0.0.0/8
    147.0.0.0/8
    148.0.0.0/8
    149.0.0.0/8
    150.0.0.0/8
    151.0.0.0/8
    152.0.0.0/8
    153.0.0.0/8
    154.0.0.0/8
    155.0.0.0/8
    156.0.0.0/8
    157.0.0.0/8
    158.0.0.0/8
    159.0.0.0/8
    160.0.0.0/8
    161.0.0.0/8
    162.0.0.0/8
    163.0.0.0/8
    164.0.0.0/8
    165.0.0.0/8
    166.0.0.0/8
    167.0.0.0/8
    168.0.0.0/8
    169.0.0.0/8
    170.0.0.0/8
    171.0.0.0/8
    172.0.0.0/8
    173.0.0.0/8
    174.0.0.0/8
    175.0.0.0/8
    176.0.0.0/8
    177.0.0.0/8
    179.0.0.0/8
    180.0.0.0/8
    181.0.0.0/8
    182.0.0.0/8
    183.0.0.0/8
    184.0.0.0/8
    185.0.0.0/8
    186.0.0.0/8
    187.0.0.0/8
    188.0.0.0/8
    189.0.0.0/8
    190.0.0.0/8
    191.0.0.0/8
    192.0.0.0/8
    193.0.0.0/8
    194.0.0.0/8
    195.0.0.0/8
    196.0.0.0/8
    197.0.0.0/8
    198.0.0.0/8
    199.0.0.0/8
    200.0.0.0/8
    201.0.0.0/8
    202.0.0.0/8
    203.0.0.0/8
    204.0.0.0/8
    205.0.0.0/8
    206.0.0.0/8
    207.0.0.0/8
    208.0.0.0/8
    209.0.0.0/8
    210.0.0.0/8
    211.0.0.0/8
    212.0.0.0/8
    213.0.0.0/8
    214.0.0.0/8
    215.0.0.0/8
    216.0.0.0/8
    217.0.0.0/8
    218.0.0.0/8
    219.0.0.0/8
    220.0.0.0/8
    221.0.0.0/8
    222.0.0.0/8
    223.0.0.0/8
    224.0.0.0/8
    225.0.0.0/8
    226.0.0.0/8
    227.0.0.0/8
    228.0.0.0/8
    229.0.0.0/8
    230.0.0.0/8
    231.0.0.0/8
    232.0.0.0/8
    233.0.0.0/8
    234.0.0.0/8
    235.0.0.0/8
    236.0.0.0/8
    237.0.0.0/8
    238.0.0.0/8
    239.0.0.0/8
    240.0.0.0/8
    241.0.0.0/8
    242.0.0.0/8
    243.0.0.0/8
    244.0.0.0/8
    245.0.0.0/8
    246.0.0.0/8
    247.0.0.0/8
    248.0.0.0/8
    249.0.0.0/8
    250.0.0.0/8
    251.0.0.0/8
    252.0.0.0/8
    253.0.0.0/8
    254.0.0.0/8
    255.0.0.0/8
    
    girishG 1 Reply Last reply
    0
    • robiR Offline
      robiR Offline
      robi
      wrote on last edited by
      #2

      You probably shouldn't block your default route, docker networks and the broadcast domain.

      Conscious tech

      1 Reply Last reply
      0
      • potemkin_aiP potemkin_ai

        I was wondering if I could achieve blocking the access to the server for everyone, but one IP and added the following list via firewall interface, adding all networks - from 1 to 255 with an /8 mask (below).

        It was reflected accordingly at blocklist.txt, but I can't now get to the Cloudron admin part (https://my.server/) - it's just loading forever - 'Cloudron is offline, reconnecting'.

        The whole machine is also getting quite unresponsive.

        P.S. Admin page was nice enough, to make sure I didn't block the server address's network, so I don't believe that is the problem.

        Removing blocklist.txt and rebooting solved the issue, but I still don't know how to close the access to the server - any help would be much appreciated!

        1.0.0.0/8
        2.0.0.0/8
        3.0.0.0/8
        4.0.0.0/8
        5.0.0.0/8
        6.0.0.0/8
        7.0.0.0/8
        8.0.0.0/8
        9.0.0.0/8
        10.0.0.0/8
        11.0.0.0/8
        12.0.0.0/8
        13.0.0.0/8
        14.0.0.0/8
        15.0.0.0/8
        16.0.0.0/8
        17.0.0.0/8
        18.0.0.0/8
        19.0.0.0/8
        20.0.0.0/8
        21.0.0.0/8
        22.0.0.0/8
        23.0.0.0/8
        24.0.0.0/8
        25.0.0.0/8
        26.0.0.0/8
        27.0.0.0/8
        28.0.0.0/8
        29.0.0.0/8
        30.0.0.0/8
        31.0.0.0/8
        32.0.0.0/8
        33.0.0.0/8
        34.0.0.0/8
        35.0.0.0/8
        36.0.0.0/8
        37.0.0.0/8
        38.0.0.0/8
        39.0.0.0/8
        40.0.0.0/8
        41.0.0.0/8
        42.0.0.0/8
        43.0.0.0/8
        44.0.0.0/8
        45.0.0.0/8
        46.0.0.0/8
        47.0.0.0/8
        48.0.0.0/8
        49.0.0.0/8
        50.0.0.0/8
        51.0.0.0/8
        52.0.0.0/8
        53.0.0.0/8
        54.0.0.0/8
        55.0.0.0/8
        56.0.0.0/8
        57.0.0.0/8
        58.0.0.0/8
        59.0.0.0/8
        60.0.0.0/8
        61.0.0.0/8
        62.0.0.0/8
        63.0.0.0/8
        64.0.0.0/8
        65.0.0.0/8
        66.0.0.0/8
        67.0.0.0/8
        68.0.0.0/8
        69.0.0.0/8
        70.0.0.0/8
        71.0.0.0/8
        72.0.0.0/8
        73.0.0.0/8
        74.0.0.0/8
        75.0.0.0/8
        76.0.0.0/8
        77.0.0.0/8
        78.0.0.0/8
        79.0.0.0/8
        80.0.0.0/8
        81.0.0.0/8
        82.0.0.0/8
        83.0.0.0/8
        84.0.0.0/8
        85.0.0.0/8
        86.0.0.0/8
        87.0.0.0/8
        88.0.0.0/8
        89.0.0.0/8
        90.0.0.0/8
        91.0.0.0/8
        92.0.0.0/8
        93.0.0.0/8
        94.0.0.0/8
        95.0.0.0/8
        96.0.0.0/8
        97.0.0.0/8
        98.0.0.0/8
        99.0.0.0/8
        100.0.0.0/8
        101.0.0.0/8
        102.0.0.0/8
        103.0.0.0/8
        104.0.0.0/8
        105.0.0.0/8
        106.0.0.0/8
        107.0.0.0/8
        108.0.0.0/8
        109.0.0.0/8
        110.0.0.0/8
        111.0.0.0/8
        112.0.0.0/8
        113.0.0.0/8
        114.0.0.0/8
        115.0.0.0/8
        116.0.0.0/8
        117.0.0.0/8
        118.0.0.0/8
        119.0.0.0/8
        120.0.0.0/8
        121.0.0.0/8
        122.0.0.0/8
        123.0.0.0/8
        124.0.0.0/8
        125.0.0.0/8
        126.0.0.0/8
        127.0.0.0/8
        128.0.0.0/8
        129.0.0.0/8
        130.0.0.0/8
        131.0.0.0/8
        132.0.0.0/8
        133.0.0.0/8
        134.0.0.0/8
        135.0.0.0/8
        136.0.0.0/8
        137.0.0.0/8
        138.0.0.0/8
        139.0.0.0/8
        140.0.0.0/8
        141.0.0.0/8
        142.0.0.0/8
        143.0.0.0/8
        144.0.0.0/8
        145.0.0.0/8
        146.0.0.0/8
        147.0.0.0/8
        148.0.0.0/8
        149.0.0.0/8
        150.0.0.0/8
        151.0.0.0/8
        152.0.0.0/8
        153.0.0.0/8
        154.0.0.0/8
        155.0.0.0/8
        156.0.0.0/8
        157.0.0.0/8
        158.0.0.0/8
        159.0.0.0/8
        160.0.0.0/8
        161.0.0.0/8
        162.0.0.0/8
        163.0.0.0/8
        164.0.0.0/8
        165.0.0.0/8
        166.0.0.0/8
        167.0.0.0/8
        168.0.0.0/8
        169.0.0.0/8
        170.0.0.0/8
        171.0.0.0/8
        172.0.0.0/8
        173.0.0.0/8
        174.0.0.0/8
        175.0.0.0/8
        176.0.0.0/8
        177.0.0.0/8
        179.0.0.0/8
        180.0.0.0/8
        181.0.0.0/8
        182.0.0.0/8
        183.0.0.0/8
        184.0.0.0/8
        185.0.0.0/8
        186.0.0.0/8
        187.0.0.0/8
        188.0.0.0/8
        189.0.0.0/8
        190.0.0.0/8
        191.0.0.0/8
        192.0.0.0/8
        193.0.0.0/8
        194.0.0.0/8
        195.0.0.0/8
        196.0.0.0/8
        197.0.0.0/8
        198.0.0.0/8
        199.0.0.0/8
        200.0.0.0/8
        201.0.0.0/8
        202.0.0.0/8
        203.0.0.0/8
        204.0.0.0/8
        205.0.0.0/8
        206.0.0.0/8
        207.0.0.0/8
        208.0.0.0/8
        209.0.0.0/8
        210.0.0.0/8
        211.0.0.0/8
        212.0.0.0/8
        213.0.0.0/8
        214.0.0.0/8
        215.0.0.0/8
        216.0.0.0/8
        217.0.0.0/8
        218.0.0.0/8
        219.0.0.0/8
        220.0.0.0/8
        221.0.0.0/8
        222.0.0.0/8
        223.0.0.0/8
        224.0.0.0/8
        225.0.0.0/8
        226.0.0.0/8
        227.0.0.0/8
        228.0.0.0/8
        229.0.0.0/8
        230.0.0.0/8
        231.0.0.0/8
        232.0.0.0/8
        233.0.0.0/8
        234.0.0.0/8
        235.0.0.0/8
        236.0.0.0/8
        237.0.0.0/8
        238.0.0.0/8
        239.0.0.0/8
        240.0.0.0/8
        241.0.0.0/8
        242.0.0.0/8
        243.0.0.0/8
        244.0.0.0/8
        245.0.0.0/8
        246.0.0.0/8
        247.0.0.0/8
        248.0.0.0/8
        249.0.0.0/8
        250.0.0.0/8
        251.0.0.0/8
        252.0.0.0/8
        253.0.0.0/8
        254.0.0.0/8
        255.0.0.0/8
        
        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        @potemkin_ai I think your approach to blocking will work. I think the issue is that iptables/ipset becomes quite slow when you add a lot of IP addresses. If you are hosting on a VPS, it might be better to use your infrastructure provider's firewall instead.

        1 Reply Last reply
        0
        • jimcavoliJ Offline
          jimcavoliJ Offline
          jimcavoli
          App Dev
          wrote on last edited by
          #4

          Maybe it's because of the brilliant person who posted the request, but it strikes me that mutual TLS optionally and globally on the frontside reverse proxy is a more elegant way to achieve a similar result: https://forum.cloudron.io/topic/3826/support-optional-global-https-mutual-tls-certificate-based-authentication

          1 Reply Last reply
          1
          • potemkin_aiP Offline
            potemkin_aiP Offline
            potemkin_ai
            wrote on last edited by
            #5

            Apologies for the delay in getting back - somehow I didn't get a notification of the response.

            I worked thins around using routing rules - IP is open to the world, but all of the traffic goes via VLAN router, which has nothing, but NAT and ufw, so that's managed that way.

            Speaking about server performance - I doubt that's the cause, it's quite a powerful virtual server.

            1 Reply Last reply
            0
            • neurokrishN Offline
              neurokrishN Offline
              neurokrish
              wrote on last edited by
              #6

              I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)

              At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..

              d19dotcaD 1 Reply Last reply
              2
              • neurokrishN neurokrish

                I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)

                At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..

                d19dotcaD Offline
                d19dotcaD Offline
                d19dotca
                wrote on last edited by
                #7

                @neurokrish said in Block access to all IPs, but one + firewall admin problem:

                I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)

                At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..

                I'd suggest creating a new feature request for your use-case.

                --
                Dustin Dauncey
                www.d19.ca

                1 Reply Last reply
                3
                • robiR Offline
                  robiR Offline
                  robi
                  wrote on last edited by
                  #8

                  There is an allow list file, but you have to access it from ssh. It should be in the docs.

                  Conscious tech

                  1 Reply Last reply
                  3
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search