To allow FTP access ONLY from 1 Country

[wcolln]

Hello,

I am trying to drop all attempts to penetrate our server via FTP from arround 30 countries, so for the moment I am using:
CC_DENY_PORTS = CN,RU,TW,VN,ID,TH,TR,KR,IR,BA,BG,BY,...
CC_DENY_PORTS_TCP = 21
CC_DENY_PORTS_UDP = 21

This is creating a very long list of IP addresses that I can see in the View iptables Rules

My purpose is to only allow 1 country, and drop all others to FTP access.

Is it possible using CC_ALLOW_FILTER (An alternative to CC_ALLOW is to only allow access from the following countries but still filter based on the port and packets rules. All other
connections are dropped) together with some options like CC_ALLOW_PORTS and/or CC_DENY_PORTS in a mixed solution ?

Perhaps there is another much simple solution, so I hope to receive some alternatives arround this confusion.

Regards,
Wilhelm.

[Sergio]

Wilhelm,
instead of blocking all that countries, why don't you remove port 21 from TCP/UPD IN/OUT and creates the rules needed for the only IP that will be accessing your FTP port?

Just my 2 cents.

[wcolln]

Thanks for your reply Sergio, it seems to me more secure and efficient to grant access to ftp only for some IP addresses.
The problem is that customers and me myself need to have access from different providers and most of them have dynamic IP addresses.
So, the real requirement would be in the near future to add more countries.

[Sergio]

My purpose is to only allow 1 country, and drop all others to FTP access.

Well, in that case you can do to grant access to port 21 to only one country, use:

CC_ALLOW_PORTS = US
CC_ALLOW_TCP = 21
CC_ALLOW_UDP = 21

"An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP"

Sergio