[SOLVED] Inverse firewall rule

[Julian J. M.]

I have the default input rule for the VMs as DROP, and then enable specific ports based on the services that machine provides.

What I'm trying to do is to, explicitly block everything from outside of my country.

I can create an ipset "spain", with all the network ranges, and I could just ACCEPT anything from that ipset, but that would open everything. I just want to block everything else not in that ipset.

Is it possible with current implementation?

Thanks,
Julian.

 

[dietmar]

I can create an ipset "spain", with all the network ranges, and I could just ACCEPT anything from that ipset, but that would open everything. /QUOTE]

This only accepts traffic from that ipset. I do not understand why you think that opens everything?

 

[Julian J. M.]

This only accepts traffic from that ipset. I do not understand why you think that opens everything?

What I mean is that it opens all ports to members of that ipset.

1)
accept port TCP/22
block (default policy)

2)
accept ipset spain
accept port TCP/22 (redundant)
block (default policy)

3)
block ip set NOT spain
accept port TCP/22
block (default policy)

I currently have 1). I can do 2) but that opens all ports to computers from spain, not just 22/TCP
I want 3): standard rules but drop any foreign connection.

Thanks

 

[dietmar]

Why don't you simply make rules like:

accept port TCP/22 from ipset spain
block (default policy)

 

[Julian J. M.]

Why don't you simply make rules like:

accept port TCP/22 from ipset spain
block (default policy)

Good question! :-D

Thanks man, that's what I needed.