Solved Block access to all IPs, but one + firewall admin problem
-
I was wondering if I could achieve blocking the access to the server for everyone, but one IP and added the following list via firewall interface, adding all networks - from 1 to 255 with an /8 mask (below).
It was reflected accordingly at blocklist.txt, but I can't now get to the Cloudron admin part (https://my.server/) - it's just loading forever - 'Cloudron is offline, reconnecting'.
The whole machine is also getting quite unresponsive.
P.S. Admin page was nice enough, to make sure I didn't block the server address's network, so I don't believe that is the problem.
Removing blocklist.txt and rebooting solved the issue, but I still don't know how to close the access to the server - any help would be much appreciated!
1.0.0.0/8 2.0.0.0/8 3.0.0.0/8 4.0.0.0/8 5.0.0.0/8 6.0.0.0/8 7.0.0.0/8 8.0.0.0/8 9.0.0.0/8 10.0.0.0/8 11.0.0.0/8 12.0.0.0/8 13.0.0.0/8 14.0.0.0/8 15.0.0.0/8 16.0.0.0/8 17.0.0.0/8 18.0.0.0/8 19.0.0.0/8 20.0.0.0/8 21.0.0.0/8 22.0.0.0/8 23.0.0.0/8 24.0.0.0/8 25.0.0.0/8 26.0.0.0/8 27.0.0.0/8 28.0.0.0/8 29.0.0.0/8 30.0.0.0/8 31.0.0.0/8 32.0.0.0/8 33.0.0.0/8 34.0.0.0/8 35.0.0.0/8 36.0.0.0/8 37.0.0.0/8 38.0.0.0/8 39.0.0.0/8 40.0.0.0/8 41.0.0.0/8 42.0.0.0/8 43.0.0.0/8 44.0.0.0/8 45.0.0.0/8 46.0.0.0/8 47.0.0.0/8 48.0.0.0/8 49.0.0.0/8 50.0.0.0/8 51.0.0.0/8 52.0.0.0/8 53.0.0.0/8 54.0.0.0/8 55.0.0.0/8 56.0.0.0/8 57.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 61.0.0.0/8 62.0.0.0/8 63.0.0.0/8 64.0.0.0/8 65.0.0.0/8 66.0.0.0/8 67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 128.0.0.0/8 129.0.0.0/8 130.0.0.0/8 131.0.0.0/8 132.0.0.0/8 133.0.0.0/8 134.0.0.0/8 135.0.0.0/8 136.0.0.0/8 137.0.0.0/8 138.0.0.0/8 139.0.0.0/8 140.0.0.0/8 141.0.0.0/8 142.0.0.0/8 143.0.0.0/8 144.0.0.0/8 145.0.0.0/8 146.0.0.0/8 147.0.0.0/8 148.0.0.0/8 149.0.0.0/8 150.0.0.0/8 151.0.0.0/8 152.0.0.0/8 153.0.0.0/8 154.0.0.0/8 155.0.0.0/8 156.0.0.0/8 157.0.0.0/8 158.0.0.0/8 159.0.0.0/8 160.0.0.0/8 161.0.0.0/8 162.0.0.0/8 163.0.0.0/8 164.0.0.0/8 165.0.0.0/8 166.0.0.0/8 167.0.0.0/8 168.0.0.0/8 169.0.0.0/8 170.0.0.0/8 171.0.0.0/8 172.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 188.0.0.0/8 189.0.0.0/8 190.0.0.0/8 191.0.0.0/8 192.0.0.0/8 193.0.0.0/8 194.0.0.0/8 195.0.0.0/8 196.0.0.0/8 197.0.0.0/8 198.0.0.0/8 199.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 204.0.0.0/8 205.0.0.0/8 206.0.0.0/8 207.0.0.0/8 208.0.0.0/8 209.0.0.0/8 210.0.0.0/8 211.0.0.0/8 212.0.0.0/8 213.0.0.0/8 214.0.0.0/8 215.0.0.0/8 216.0.0.0/8 217.0.0.0/8 218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8 -
You probably shouldn't block your default route, docker networks and the broadcast domain.
-
@potemkin_ai I think your approach to blocking will work. I think the issue is that iptables/ipset becomes quite slow when you add a lot of IP addresses. If you are hosting on a VPS, it might be better to use your infrastructure provider's firewall instead.
-
Maybe it's because of the brilliant person who posted the request, but it strikes me that mutual TLS optionally and globally on the frontside reverse proxy is a more elegant way to achieve a similar result: https://forum.cloudron.io/topic/3826/support-optional-global-https-mutual-tls-certificate-based-authentication
-
Apologies for the delay in getting back - somehow I didn't get a notification of the response.
I worked thins around using routing rules - IP is open to the world, but all of the traffic goes via VLAN router, which has nothing, but NAT and ufw, so that's managed that way.
Speaking about server performance - I doubt that's the cause, it's quite a powerful virtual server.
-
I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)
At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..
-
@neurokrish said in Block access to all IPs, but one + firewall admin problem:
I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)
At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..
I'd suggest creating a new feature request for your use-case.
-
There is an allow list file, but you have to access it from ssh. It should be in the docs.
