Block countries but allow port 53/dns

Post Reply
bulgin23
Junior Member
Posts: 22
Joined: 06 Apr 2018, 01:17

Block countries but allow port 53/dns

Post by bulgin23 »

Hello,

I hope everyone is well.

I have a need to block countries, but allow dns querries into the server from everywhere, including those countries I've blocked.

What is the simplest solution with CSF for this?

Thanks in advance for any help.
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Block countries but allow port 53/dns

Post by sahostking »

I would say maybe using something like this unless someone else has a better idea. You could deny services, port access to many countries attacking your server by just using their country codes.

# This option denies access from the following countries to specific ports
# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow allowing of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""

# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
# NOT be removed from TCP_IN/UDP_IN
#
# An example would be to list port 21 here then counties listed in
# CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""
bulgin23
Junior Member
Posts: 22
Joined: 06 Apr 2018, 01:17

Re: Block countries but allow port 53/dns

Post by bulgin23 »

SOLVED: I used the following solution provided by viewtopic.php?t=7558&sid=d0d3e273b6ef83 ... 44b6671ebb
Case 2 ( recommended )

Block few countries but still allow them to reach some ports
Example: Block China Russia and Nigeria except http and https

CC_DENY_PORTS = NG,CN,RU
CC_DENY_PORTS_TCP = 1:79,81:442,444:65535
CC_DENY_PORTS_UDP = 1:65535
poudenes
Junior Member
Posts: 3
Joined: 06 May 2014, 17:00

Re: Block countries but allow port 53/dns

Post by poudenes »

Hi All,

It's an old post but Try to install CSF on my Debian 11. Everything is working but when I start CSF all resolving actions are blocked.
This is my config:

Code: Select all

CC_ALLOW_PORTS = "BG,IR,IQ,RU,CN,NG"
CC_ALLOW_PORTS_TCP = "53"
CC_ALLOW_PORTS_UDP = "53"

TESTING = "0"
TESTING_INTERVAL = "5"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "1"
AUTO_UPDATES = "1"
LF_SPI = "1"

TCP_IN = "25,53,80,143,443,465,587,953,993,995,3000,7045,8080,8081"
TCP_OUT = "25,53,80,,113,443,587,953,993,995,7045,8080,8081"
UDP_IN = "53,80,443,953"
UDP_OUT = "53,113,123,953"
My idea is to give only some countries allow to use port 53. But this is what I see in syslog:

Code: Select all

Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/AAAA/IN': 2604:4500:9:156::4#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/A/IN': 2604:4500:9:156::4#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/AAAA/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/A/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:04 mail named[346931]: address not available resolving '_.165.66.list.dnswl.org/A/IN': 2a01:4f8:c2c:52e::feed#53
Mar 22 10:30:04 mail named[346931]: address not available resolving '_.165.66.list.dnswl.org/A/IN': 2400:8901::f03c:91ff:fee9:a89#53
Mar 22 10:30:05 mail named[346931]: address not available resolving 'default._domainkey.forum.configserver.com/TXT/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:05 mail named[346931]: address not available resolving '_.246.165.66.list.dnswl.org/A/IN': 2a01:4f8:1c0c:708f::53#53

Code: Select all

root@hassio:/home/poudenes# nslookup ns.ukwebs.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   ns.ukwebs.net
Address: 66.165.246.164
Name:   ns.ukwebs.net
Address: 2604:4500:9:156::4
root@hassio:/home/poudenes# nslookup dnswl.org
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dnswl.org
Address: 168.119.229.146
Name:   dnswl.org
Address: 2a01:4f8:1c0c:708f::1
Can someone assist me?
Post Reply