Blocking, only allowing South African IP address blocks
Say, we wish to stop hackers and the suggestion is to only allow through South African IP addresses as we are based in South Africa and the all the connections to the server are coming from South African IPs. Please assist with obtaining the South African IP address ranges as well as instructions on how to configure the Firewall on a Win2008 server. The server is on a Public South African IP and there is no firewall in front of it that we can configure. tx
ASKER
Tx - with this method: For configuring the windows 2008 firewall you can find a tutorial here.
I would have to block all those outside South Africa.
How would I only allow South Africa IP in?
How can I prevent locking myself out of the server- must I allow the servers ip explicitly - I assume to be safe as applying the allow IP's rule and using South African ranges - will this effectively block all other ips?
I would have to block all those outside South Africa.
How would I only allow South Africa IP in?
How can I prevent locking myself out of the server- must I allow the servers ip explicitly - I assume to be safe as applying the allow IP's rule and using South African ranges - will this effectively block all other ips?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would take a different approach ... I think this is a lot simpler to do in linux.
Bring up a basic linux router / firewall from any of the preconfigured kits on the internet. A very small system will do as long as it has two Ethernet interfaces. Configure it to pass all traffic between ports A and B.
Install iptables on the system and also add the geoip plugin.
Then add a shell script to run at startup time after networking is up, with the command line
iptables -t filter -A INPUT -i eth0 -m geoip --src-cc ZA -p tcp -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -j REJECT
Assume that eth0 is the Ethernet port facing the internet and that the system is routing traffic from eth0 to eth1 and vice versa. This accepts all incoming connections on ethernet interface 0, on every port, coming from South Africa, and rejects all others.
This will be about 99% reliable if the geoip database is updated weekly via cron script. It won't be perfect because there is always some ISP changing their CIDR blocks and it takes a while for that information to percolate out to the geoip database.
A nice side benefit of this is that you can do other blocking and accepting as well down to very specific levels. If one particular ISP is a spam problem, it can be locked out with a line similar to:
iptables -t filter -A WebLockouts -s 38.0.0.0/8 -p tcp --dport 25 -j REJECT
Bring up a basic linux router / firewall from any of the preconfigured kits on the internet. A very small system will do as long as it has two Ethernet interfaces. Configure it to pass all traffic between ports A and B.
Install iptables on the system and also add the geoip plugin.
Then add a shell script to run at startup time after networking is up, with the command line
iptables -t filter -A INPUT -i eth0 -m geoip --src-cc ZA -p tcp -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -j REJECT
Assume that eth0 is the Ethernet port facing the internet and that the system is routing traffic from eth0 to eth1 and vice versa. This accepts all incoming connections on ethernet interface 0, on every port, coming from South Africa, and rejects all others.
This will be about 99% reliable if the geoip database is updated weekly via cron script. It won't be perfect because there is always some ISP changing their CIDR blocks and it takes a while for that information to percolate out to the geoip database.
A nice side benefit of this is that you can do other blocking and accepting as well down to very specific levels. If one particular ISP is a spam problem, it can be locked out with a line similar to:
iptables -t filter -A WebLockouts -s 38.0.0.0/8 -p tcp --dport 25 -j REJECT
DrKlahnIs correct but I don´t mention this approach because shaunwingin is asking for help with a windows firewall.
But yes, It will be easier with Linux, at the end you will not mess with windows firewall protocols and some service ports needed for communications.
Ah, my bad. I forgot to add something very important ...
"Place the linux router/firewall in front of the existing Windows server, facing the internet, so that it can filter the traffic before the Windows system sees it. Then no changes are needed in the Windows system."
"Place the linux router/firewall in front of the existing Windows server, facing the internet, so that it can filter the traffic before the Windows system sees it. Then no changes are needed in the Windows system."
This will require a lot of effort.
Because this will require a lot o writing I'm pointing to some links that can help you.
For the Ip address' assigned to South Africa the most reliable source will be the Communications regulator in South Africa.
But you can find some address' here and here
.
For configuring the windows 2008 firewall you can find a tutorial here.
Hope it helps.
David