?
Solved

Blocking, only allowing South African IP address blocks

Posted on 2014-10-30
6
Medium Priority
?
427 Views
Last Modified: 2014-11-04
Say, we wish to stop hackers and the suggestion is to only allow through South African IP addresses as we are based in South Africa and the all the connections to the server are coming from South African IPs. Please assist with obtaining the South African IP address ranges as well as instructions on how to configure the Firewall on a Win2008 server. The server is on a Public South African IP and there is no firewall in front of it that we can configure. tx
0
Comment
Question by:shaunwingin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40413887
Hi shaunwingin,

This will require a lot of effort.
Because this will require a lot o writing I'm pointing to some links that can help you.
For the Ip address' assigned to South Africa the most reliable  source will be the Communications regulator in South Africa.

But you can find some address' here and here
.

For configuring the windows 2008 firewall you can find a tutorial here.


Hope it helps.

David
0
 

Author Comment

by:shaunwingin
ID: 40414154
Tx - with this  method: For configuring the windows 2008 firewall you can find a tutorial here.
I would have to block all those outside South Africa.
How would I only allow South Africa IP in?
How can I prevent locking myself out of the server- must I allow the servers ip explicitly - I assume to be safe as applying the allow IP's rule and using South African ranges - will this effectively block all other ips?
0
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 2000 total points
ID: 40416133
Because this can be really tricky, I suggest to do following.

Create a rule - > General Tab  choose Allow connection
Scope -> Select any local IP address then in the Remote IP add all South African subnets including all your private network in the Remote IP Address.

What this will do, will only permit access from the defined subnets.

Example:

I suggest to try first for the ICMP protocol, for that in the inbound rules disable only the File and Printer Sharing (Echo Request - ICMPv4-In) and File and Printer Sharing (Echo Request - ICMPv6-In)
Then try to ping the machine if everything is ok you will not be able to ping that machine, but the RDP session is available.

Then I have the following scenario, but you will have to tweak for your reality.

I have a server in my DMZ this server has the IP 10.0.14.1
I also have a private network with the following subnet 10.0.12.0/23
So in the Scope tab I choose the radio button for Any IP Address in the Local IP Address


And in Remote IP Address choose all the subnets that you want to define, probably all your internal subnets ( in my case I have a Network Class A, so all my internal/Private network is inside of this scope 10.0.0.0/8, so I will define this large subnet) and also the South African subnets. Try it first for the private network.

After this test you will be able to understand the flow, and you will understand what protocols you will want to permit or deny.

Note: Don´t Disable any protocol for RDP, you will loose remote access.


I hope to not confuse you but is tricky that's why this settings are more easily configured in a firewall appliance.


Regards
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40419503
I would take a different approach ... I think this is a lot simpler to do in linux.

Bring up a basic linux router / firewall from any of the preconfigured kits on the internet.  A very small system will do as long as it has two Ethernet interfaces.  Configure it to pass all traffic between ports A and B.

Install iptables on the system and also add the geoip plugin.

Then add a shell script to run at startup time after networking is up, with the command line

iptables -t filter -A INPUT -i eth0 -m geoip --src-cc ZA -p tcp -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -j REJECT


Assume that eth0 is the Ethernet port facing the internet and that the system is routing traffic from eth0 to eth1 and vice versa.  This accepts all incoming connections on ethernet interface 0, on every port, coming from South Africa, and rejects all others.

This will be about 99% reliable if the geoip database is updated weekly via cron script.  It won't be perfect because there is always some ISP changing their CIDR blocks and it takes a while for that information to percolate out to the geoip database.

A nice side benefit of this is that you can do other blocking and accepting as well down to very specific levels.  If one particular ISP is a spam problem, it can be locked out with a line similar to:

iptables -t filter -A WebLockouts -s 38.0.0.0/8 -p tcp --dport 25 -j REJECT
0
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40419570
DrKlahn
Is correct but I don´t mention this approach because shaunwingin  is asking for help with a windows firewall.

But yes, It will be easier with Linux, at the end you will not mess with windows firewall protocols and some service ports needed for communications.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40419616
Ah, my bad.  I forgot to add something very important ...

"Place the linux router/firewall in front of the existing Windows server, facing the internet, so that it can filter the traffic before the Windows system sees it.  Then no changes are needed in the Windows system."
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question