Hello, I have Debian 12 and I followed the guide to install Ispconfig 3. I would like to implement a geo IP filter to block some nasty countries consuming my bandwidth and trying to hack me. The problem is that the configuration of ispconfig can affect basic iptables rules, so I'm here to ask you what is the best approch to block such IPs. My idea was to create something like this: ipset create geoblock hash:net curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone | xargs -I % sudo ipset add geoblock % iptables -I INPUT -m set --match-set geoblock src -j DROP This works until the reboot, when the rules vanish. How can I make them permanent effecty? I tried to make them permanent but I failed. I installed netfilter-persistent and saved the rules. Then I create a script to load the rules on reboot: nano /etc/network/if-pre-up.d/00-ipset-restore and put this #!/bin/sh ipset restore < /etc/iptables/ipsets.rules After rebooting I cannot connect to my system because I found a lot of new rules (ufw, ntftables) appear on my machine. After trying to remove them unsuccessfully, I decided to revert the snasphot. Thank you all
What about creating a cron job that runs at boot, which executes the exact commands instead of using ipset? ISPConfig does not manage the firewall of your system, unless you created and enabled a firewall in ISPConfig.
There's a technical problem: if you try to load 50,000 IP addresses (like entire countries) one by one with iptables -A, the server will slow down dramatically every time it receives a packet. For this reason, even without ipset, I need to use CIDRs (network blocks) for more efficiency. Is this doable or can you suggest me another solution? Thank you
This is not really an ISPConfig question as ISPConfig does not manage it, all you have to take care ISPConfig-wise is not to use ISPConfig firewall manager to manage your firewall if you want to manage it manually. I do not use such a solution on my systems, but I'm sure you will find someone who has implemented it using Google with some suggestions on how to do so.
Even if it did, shouldn't it be using ufw on Debian (as with Ubuntu) instead of iptables? And with (ufw) firewall enabled in ispconfig you can still add your own permanent custom rules. If iptable rules disappear on reboot they weren't made permanent prior to the reboot.
@till Thank you Till. @remkoh I probably messed up with rules and rules order. I'll experiment with CIDR, maybe the vps will carry the load well.
Yes, ISPConfig uses UFW as default on Debian and Ubuntu. Indeed. But as we had these topics in the past weeks about ISPConfig changing the firewall when you use ISPConfig to manage it (you might remember), I now simply recommend not using ISPConfig for the firewall management at all if you want to manage it manually.
