XII. Firewall/Security Features
ExpiredVigor 3900 Firewall - Blocking IP addresses by Country / Continent
The DrayTek Vigor 3900, 2960 and 300B routers with firmware version 1.0.8 and later are able to block IP addresses based on the country that they originate from, using the ISO 3166 country codes that IP addresses of each country are linked to.
This makes it possible to block specified countries from accessing services and servers on or behind the router by selecting which countries to block or allow instead of specifying multiple ranges of IP addresses to achieve the same outcome.
This uses a Country Object which is applied in a Firewall > Filter Rule and can be applied to specific WAN interfaces or services as required. It's possible to specify whether the country list is applied as a Source address (incoming) or Destination address (outgoing) and up to 15 countries can be selected in each Country Object.
This example will demonstrate how to create a filter rule to block incoming SSH traffic (TCP port 22) from IP addresses used by China.
To configure this, it is necessary to make an Object to define a list of countries to block or allow. This is configured in the [Objects Setting] > [Country Object] menu. Click Add to create a new Country Object:
Give the profile a suitable name and select a country from the list:
It is possible to change the sort order by clicking the Code, Country and Continent buttons, or by entering text in the boxes above, selecting items from the drop down list and clicking the Filter Icon like so:
With the country object configured, click Apply to save that profile.
To apply this in a filter rule, go to [Firewall] > [Filter Setup] and select the IP Filter tab. Create a new group by clicking Add, give the group a suitable name, in this instance the group will contain rules to block traffic so it will be called Block.
Click Apply to save that group. Once that has saved, expand it using the triangle icon and click Add to create a filter rule:
Configure the filter rule with the following settings:
- Set the filter rule with a suitable name to describe its purpose in the Profile field
- Enable the filter rule
- Set the Action to Block so that the filter rule blocks traffic that matches its criteria
- Set the Syslog setting to Enable to have the router report access attempts that match the criteria of this filter rule and are blocked
- The Input Interface is set to ALL WANS to block incoming traffic on all WAN interfaces
- Expand the Service Protocol section, expand the Service Type Objects and select the traffic type that the filter rule will apply to. If no service type is selected, this will block incoming traffic on all ports from IP addresses that match the filter rule.
Scroll down to the Incoming Country Filter and expand the Service Country Object section:
Select the country object created that the rule will apply to.
Click Apply to save and apply the filter rule.
The Block filter group will then show the rule that has been added and the counter will show how many sessions / connection attempts have been blocked by this filter rule.
Any IP addresses in the Chinese IP ranges attempting to access SSH (TCP port 22) of the router or a device behind it, will be blocked by this filter rule.
How do you rate this article?
- First Published: 20/10/2015
- Last Updated: 05/06/2020