CountryCode blocks applying to outgoing as well?

Post Reply
websavers
Junior Member
Posts: 17
Joined: 04 Sep 2013, 13:46

CountryCode blocks applying to outgoing as well?

Post by websavers »

Hey there,

We had an issue wherein a server couldn't reach the Plesk licensing server, even with port 5224 added to the egress rules. We had RU added to the CC_DENY config which was very clearly the cause (I found the blocked range in iptables). After removing RU from CC_DENY, all worked fine.

I had even tried inserting a rule into csf.allow which created the corresponding iptables rule correctly, yet it wasn't overriding the CC_DENY config (shouldn't it?)

But even more odd is that the CountryCode rules show the following documentation:
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
Notice the very end where it says they're for incoming connections only: this was an outgoing connection that it was blocking. Is the documentation wrong or is this a bug?
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CountryCode blocks applying to outgoing as well?

Post by ForumAdmin »

That is to be expected. You can connect out to that IP but you cannot receive from it. If you have blocked any IP using CC blocking you would have to whitelist any exceptions you want to them.
websavers
Junior Member
Posts: 17
Joined: 04 Sep 2013, 13:46

Re: CountryCode blocks applying to outgoing as well?

Post by websavers »

So the conclusions here are:

1. Even though the initial connection to the Parallels/Odin server is outgoing, any incoming traffic even if it originates from the outgoing session, will be blocked.
2. To provide an exception to CSF it must be placed in csf.ignore as csf.allow won't get around the CC rules.

Is that right?
Post Reply