Running 1.4-rolling.
Previously on 1.3 I used a script to populate the IP ranges for a bunch of countries using ipset into a firewall group. This allowed me to only accept connections from IPs listed in that group, effectively a country code whitelist.
I have no idea how to port that to use nft and was hoping with the introduction of geoip there is some way to achieve the same but natively in my config.boot.
E.g. I want to only accept connections from the following countries - ch gb nz sg de us
Can anyone point me in the right direction…?
Thanks in advance.
1 Like
Hello,
With version 1.4, If you only filter by country, you can use geoip filtering with country-codes : Firewall — VyOS 1.4.x (sagitta) documentation :
set firewall name <name> rule <1-999999> source geoip country-code <country>
set firewall name <name> rule <1-999999> source geoip inverse-match
set firewall ipv6-name <name> rule <1-999999> source geoip country-code <country>
set firewall ipv6-name <name> rule <1-999999> source geoip inverse-match
set firewall name <name> rule <1-999999> destination geoip country-code <country>
set firewall name <name> rule <1-999999> destination geoip inverse-match
set firewall ipv6-name <name> rule <1-999999> destination geoip country-code <country>
set firewall ipv6-name <name> rule <1-999999> destination geoip inverse-match
For the country code list, I use this list with alpha-2 codes : https://www.iban.com/country-codes
UPDATE : Just in case - and this is an important point - country codes must be entered in lower case in the rules.
The part I’m missing conceptually is what the rules would look like to only accept traffic from x number of countries.
Do I need to create an accept rule per country with a default of deny?
Here’s my WAN-LAN rule, using a ZB firewall.
show firewall name wan-lan
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
rule 200 {
action accept
destination {
group {
port-group rp-ports
}
}
protocol tcp
}
rule 300 {
action accept
destination {
group {
port-group mail-ports
}
}
protocol tcp
}
rule 600 {
action accept
destination {
group {
port-group gaming-ports
}
}
protocol tcp_udp
}
What would I need to add to, for example, only accept traffic from gb, ch, us, de, sg and nz?
I can add a rule for the inverse of any one country but I’ve no idea how to extend this to multiple countries.
@nyxtorm How to configuration PBR with firewall group base geoip ?
@echowings,
I’m sorry, I’ve only been using VyOS for a few days and I don’t yet know all its subtleties. And the answer to your question also interests me and ties in with my other post on Group geoip countries
@phillipmcmahon,
I wonder if with the current way of working you wouldn’t be obliged to create a rule for each country and for each of your accepted rules as long as it isn’t possible to create groups of countries.
For example:
rule 600 {
action accept
source {
geoip {
coutry-code ch
}
destination {
group {
port-group gaming-ports
}
}
protocol tcp_udp
}
And perhaps you could create a group of your existing port groups to limit the number of rules?
set firewall group port-group all_ports_group include rp-ports
set firewall group port-group all_ports_group include mail-ports
set firewall group port-group all_ports_group include gaming-ports
Maybe there’s something more practical, maybe an expert can correct me.
Have a nice day and sorry if my English is sometimes a bit …weird 
Thanks for the suggestion. I think for now I will leave things as they are, this doesn’t really scale without the ability to use groups which include multiple country codes. Great suggestion btw!
It’s a nice-to-have whitelisting permissible source countries but I’m not counting on it as a primary security control.
In two minds with regards to flattening the port groups, the current view keeps things clear and separate. E.g. I can modify a rule set specific to a port range if ever the requirements change. If I flatten now I suspect I’d have to unpack at some point in the future.