Geo IP block help

H

henryd99

Member
Dec 13, 2023
8
1
8
Hi all,

Current running a 3 node cluster with version 8.2.4, for what I can see its running iptables and not nftables.

We wish to lock down our individual nodes or a cluster as a whole using GeoIP rule IPsets, and using the GUI for this is not an option (We are using the cluster/Node/VM built in
firewall functionality in GUI for basic rules).

Does anyone have any recommendations on making this as efficient as possible as well as how to ensure this stays persistent through reboots, upgrades, etc..

Thank you.
 
From my point of view it is not best practice to connect a PVE cluster directly to the outer internet. There should always exist a router with filtering capabilities. In that picture the router would do Geo blocking, beside other things. My recommendation is to re-evaluate the possibility of an implementation of something like OpnSense in front of your cluster.

That said... PVE is Debian, and there are a vast number of small projects out there implementing this. Just note that there is a) a non-zero chance to lockout yourself and b) that you may interfere with the PVE integrated solution.

One random(!) article describing an as-simple-as-possible approach, just as an example: https://blog.ip2location.com/knowledge-base/how-to-block-ip-addresses-from-a-country-using-ipset/

Good luck!
 
You must log in or register to reply here.
Top Bottom
Back