Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Block access to all IPs, but one + firewall admin problem

    Support
    networking firewall
    6
    8
    397
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • potemkin_ai
      potemkin_ai last edited by girish

      I was wondering if I could achieve blocking the access to the server for everyone, but one IP and added the following list via firewall interface, adding all networks - from 1 to 255 with an /8 mask (below).

      It was reflected accordingly at blocklist.txt, but I can't now get to the Cloudron admin part (https://my.server/) - it's just loading forever - 'Cloudron is offline, reconnecting'.

      The whole machine is also getting quite unresponsive.

      P.S. Admin page was nice enough, to make sure I didn't block the server address's network, so I don't believe that is the problem.

      Removing blocklist.txt and rebooting solved the issue, but I still don't know how to close the access to the server - any help would be much appreciated!

      1.0.0.0/8
      2.0.0.0/8
      3.0.0.0/8
      4.0.0.0/8
      5.0.0.0/8
      6.0.0.0/8
      7.0.0.0/8
      8.0.0.0/8
      9.0.0.0/8
      10.0.0.0/8
      11.0.0.0/8
      12.0.0.0/8
      13.0.0.0/8
      14.0.0.0/8
      15.0.0.0/8
      16.0.0.0/8
      17.0.0.0/8
      18.0.0.0/8
      19.0.0.0/8
      20.0.0.0/8
      21.0.0.0/8
      22.0.0.0/8
      23.0.0.0/8
      24.0.0.0/8
      25.0.0.0/8
      26.0.0.0/8
      27.0.0.0/8
      28.0.0.0/8
      29.0.0.0/8
      30.0.0.0/8
      31.0.0.0/8
      32.0.0.0/8
      33.0.0.0/8
      34.0.0.0/8
      35.0.0.0/8
      36.0.0.0/8
      37.0.0.0/8
      38.0.0.0/8
      39.0.0.0/8
      40.0.0.0/8
      41.0.0.0/8
      42.0.0.0/8
      43.0.0.0/8
      44.0.0.0/8
      45.0.0.0/8
      46.0.0.0/8
      47.0.0.0/8
      48.0.0.0/8
      49.0.0.0/8
      50.0.0.0/8
      51.0.0.0/8
      52.0.0.0/8
      53.0.0.0/8
      54.0.0.0/8
      55.0.0.0/8
      56.0.0.0/8
      57.0.0.0/8
      58.0.0.0/8
      59.0.0.0/8
      60.0.0.0/8
      61.0.0.0/8
      62.0.0.0/8
      63.0.0.0/8
      64.0.0.0/8
      65.0.0.0/8
      66.0.0.0/8
      67.0.0.0/8
      68.0.0.0/8
      69.0.0.0/8
      70.0.0.0/8
      71.0.0.0/8
      72.0.0.0/8
      73.0.0.0/8
      74.0.0.0/8
      75.0.0.0/8
      76.0.0.0/8
      77.0.0.0/8
      78.0.0.0/8
      79.0.0.0/8
      80.0.0.0/8
      81.0.0.0/8
      82.0.0.0/8
      83.0.0.0/8
      84.0.0.0/8
      85.0.0.0/8
      86.0.0.0/8
      87.0.0.0/8
      88.0.0.0/8
      89.0.0.0/8
      90.0.0.0/8
      91.0.0.0/8
      92.0.0.0/8
      93.0.0.0/8
      94.0.0.0/8
      95.0.0.0/8
      96.0.0.0/8
      97.0.0.0/8
      98.0.0.0/8
      99.0.0.0/8
      100.0.0.0/8
      101.0.0.0/8
      102.0.0.0/8
      103.0.0.0/8
      104.0.0.0/8
      105.0.0.0/8
      106.0.0.0/8
      107.0.0.0/8
      108.0.0.0/8
      109.0.0.0/8
      110.0.0.0/8
      111.0.0.0/8
      112.0.0.0/8
      113.0.0.0/8
      114.0.0.0/8
      115.0.0.0/8
      116.0.0.0/8
      117.0.0.0/8
      118.0.0.0/8
      119.0.0.0/8
      120.0.0.0/8
      121.0.0.0/8
      122.0.0.0/8
      123.0.0.0/8
      124.0.0.0/8
      125.0.0.0/8
      126.0.0.0/8
      127.0.0.0/8
      128.0.0.0/8
      129.0.0.0/8
      130.0.0.0/8
      131.0.0.0/8
      132.0.0.0/8
      133.0.0.0/8
      134.0.0.0/8
      135.0.0.0/8
      136.0.0.0/8
      137.0.0.0/8
      138.0.0.0/8
      139.0.0.0/8
      140.0.0.0/8
      141.0.0.0/8
      142.0.0.0/8
      143.0.0.0/8
      144.0.0.0/8
      145.0.0.0/8
      146.0.0.0/8
      147.0.0.0/8
      148.0.0.0/8
      149.0.0.0/8
      150.0.0.0/8
      151.0.0.0/8
      152.0.0.0/8
      153.0.0.0/8
      154.0.0.0/8
      155.0.0.0/8
      156.0.0.0/8
      157.0.0.0/8
      158.0.0.0/8
      159.0.0.0/8
      160.0.0.0/8
      161.0.0.0/8
      162.0.0.0/8
      163.0.0.0/8
      164.0.0.0/8
      165.0.0.0/8
      166.0.0.0/8
      167.0.0.0/8
      168.0.0.0/8
      169.0.0.0/8
      170.0.0.0/8
      171.0.0.0/8
      172.0.0.0/8
      173.0.0.0/8
      174.0.0.0/8
      175.0.0.0/8
      176.0.0.0/8
      177.0.0.0/8
      179.0.0.0/8
      180.0.0.0/8
      181.0.0.0/8
      182.0.0.0/8
      183.0.0.0/8
      184.0.0.0/8
      185.0.0.0/8
      186.0.0.0/8
      187.0.0.0/8
      188.0.0.0/8
      189.0.0.0/8
      190.0.0.0/8
      191.0.0.0/8
      192.0.0.0/8
      193.0.0.0/8
      194.0.0.0/8
      195.0.0.0/8
      196.0.0.0/8
      197.0.0.0/8
      198.0.0.0/8
      199.0.0.0/8
      200.0.0.0/8
      201.0.0.0/8
      202.0.0.0/8
      203.0.0.0/8
      204.0.0.0/8
      205.0.0.0/8
      206.0.0.0/8
      207.0.0.0/8
      208.0.0.0/8
      209.0.0.0/8
      210.0.0.0/8
      211.0.0.0/8
      212.0.0.0/8
      213.0.0.0/8
      214.0.0.0/8
      215.0.0.0/8
      216.0.0.0/8
      217.0.0.0/8
      218.0.0.0/8
      219.0.0.0/8
      220.0.0.0/8
      221.0.0.0/8
      222.0.0.0/8
      223.0.0.0/8
      224.0.0.0/8
      225.0.0.0/8
      226.0.0.0/8
      227.0.0.0/8
      228.0.0.0/8
      229.0.0.0/8
      230.0.0.0/8
      231.0.0.0/8
      232.0.0.0/8
      233.0.0.0/8
      234.0.0.0/8
      235.0.0.0/8
      236.0.0.0/8
      237.0.0.0/8
      238.0.0.0/8
      239.0.0.0/8
      240.0.0.0/8
      241.0.0.0/8
      242.0.0.0/8
      243.0.0.0/8
      244.0.0.0/8
      245.0.0.0/8
      246.0.0.0/8
      247.0.0.0/8
      248.0.0.0/8
      249.0.0.0/8
      250.0.0.0/8
      251.0.0.0/8
      252.0.0.0/8
      253.0.0.0/8
      254.0.0.0/8
      255.0.0.0/8
      
      girish 1 Reply Last reply Reply Quote 0
      • robi
        robi last edited by

        You probably shouldn't block your default route, docker networks and the broadcast domain.

        Life of Advanced Technology

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff @potemkin_ai last edited by

          @potemkin_ai I think your approach to blocking will work. I think the issue is that iptables/ipset becomes quite slow when you add a lot of IP addresses. If you are hosting on a VPS, it might be better to use your infrastructure provider's firewall instead.

          1 Reply Last reply Reply Quote 0
          • jimcavoli
            jimcavoli App Dev last edited by

            Maybe it's because of the brilliant person who posted the request, but it strikes me that mutual TLS optionally and globally on the frontside reverse proxy is a more elegant way to achieve a similar result: https://forum.cloudron.io/topic/3826/support-optional-global-https-mutual-tls-certificate-based-authentication

            1 Reply Last reply Reply Quote 1
            • potemkin_ai
              potemkin_ai last edited by

              Apologies for the delay in getting back - somehow I didn't get a notification of the response.

              I worked thins around using routing rules - IP is open to the world, but all of the traffic goes via VLAN router, which has nothing, but NAT and ufw, so that's managed that way.

              Speaking about server performance - I doubt that's the cause, it's quite a powerful virtual server.

              1 Reply Last reply Reply Quote 0
              • neurokrish
                neurokrish last edited by

                I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)

                At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..

                d19dotca 1 Reply Last reply Reply Quote 2
                • d19dotca
                  d19dotca @neurokrish last edited by

                  @neurokrish said in Block access to all IPs, but one + firewall admin problem:

                  I have a similar request. Currently Cloudron allows only a block list (Blocked IPs & Ranges). Can we have an option to do the inverse? I mean, allow only what we want and block every other range? The use case is, for e.g. if I want my Cloudron to be accessed from only the country where I live. It will be easier to be able to add/remove countries vs. IP ranges (something like this will be super useful - https://support.sophos.com/support/s/article/KB-000034791?language=en_US)

                  At the moment, since my instance is behind Cloudflare, I disallow traffic from all countries except mine in their firewall rules. Works OK this way too..

                  I'd suggest creating a new feature request for your use-case.

                  --
                  Dustin Dauncey
                  www.d19.ca

                  1 Reply Last reply Reply Quote 3
                  • robi
                    robi last edited by

                    There is an allow list file, but you have to access it from ssh. It should be in the docs.

                    Life of Advanced Technology

                    1 Reply Last reply Reply Quote 3
                    • First post
                      Last post
                    Powered by NodeBB