Geo IP block help

[henryd99]

Hi all,

Current running a 3 node cluster with version 8.2.4, for what I can see its running iptables and not nftables.

We wish to lock down our individual nodes or a cluster as a whole using GeoIP rule IPsets, and using the GUI for this is not an option (We are using the cluster/Node/VM built in
firewall functionality in GUI for basic rules).

Does anyone have any recommendations on making this as efficient as possible as well as how to ensure this stays persistent through reboots, upgrades, etc..

Thank you.

 

[UdoB]

From my point of view it is not best practice to connect a PVE cluster directly to the outer internet. There should always exist a router with filtering capabilities. In that picture the router would do Geo blocking, beside other things. My recommendation is to re-evaluate the possibility of an implementation of something like OpnSense in front of your cluster.

That said... PVE is Debian, and there are a vast number of small projects out there implementing this. Just note that there is a) a non-zero chance to lockout yourself and b) that you may interfere with the PVE integrated solution.

One random(!) article describing an as-simple-as-possible approach, just as an example: https://blog.ip2location.com/knowledge-base/how-to-block-ip-addresses-from-a-country-using-ipset/

Good luck!

 

[henryd99]

From my point of view it is not best practice to connect a PVE cluster directly to the outer internet. There should always exist a router with filtering capabilities. In that picture the router would do Geo blocking, beside other things. My recommendation is to re-evaluate the possibility of an implementation of something like OpnSense in front of your cluster.

That said... PVE is Debian, and there are a vast number of small projects out there implementing this. Just note that there is a) a non-zero chance to lockout yourself and b) that you may interfere with the PVE integrated solution.

One random(!) article describing an as-simple-as-possible approach, just as an example: https://blog.ip2location.com/knowledge-base/how-to-block-ip-addresses-from-a-country-using-ipset/

Good luck!

Hi,

Thanks for the reply.

Yes I agree, our other clusters we own are all on private IPs only accessible via VPNs, but in this case we have a 3 node cluster with a server vendor in a Datacentre in London.

The Datacentre, do not offer firewall/routers or even virtualised in that environment.
All nodes API/GUI access are locked down with access only from our VPNs.

The GEO block is only to affect ports 5060:5090, everything else is fine using built in Firewall.

Thanks

 

[_gabriel]

Edit : UdoB link is less complicated.

I use this script https://github.com/mkorthof/ipset-country on a host
customize the code to keep ipdeny.com download/update and ipset generation/update
Remove firewall/rules parts
Then use the "ipset" generated directly in PVE firewall.

 

[_gabriel]

After a try , ipset created with PVE UI cannot be managed with ipset direcly.
ipset created with PVE UI can be updated with CLI pvesh create /cluster/firewall/ipset/my-pve-ipset-name --cidr x.x.x.x/y but too slow if many lines.
editing cluster.fw directly is instant.