Location Blocking with an exception

I have Location Blocking enabled for many countries. I’d like to allow a single port (24554) to be allowed into my network from anywhere, even if it originates from a blocked country. How can I do this? Thank you.

Welcome to the community.

Take this with a grain of salt.

I think you should use the Web User Interface to create an “allow” rule. Select source: RED; destination: GREEN or any, Protocol: TCP (or UDP), destination port: 24554, select “ACCEPT”. Save and restart the firewall.

These details will seem gibberish if you never dealt with iptables, which is Linux firewall. I report these details in case you want to have a starting point and maybe someone else might give some other info. We can talk about it more if you need some clarification.

The Web User Interface should create a rule in the INPUT chain of the FILTER table that should jump to the CUSTOMINPUT chain before it goes to LOCATIONBLOCK chain and this way it should allow the traffic to enter. I think this should work, but I am far from an expert. If you can, let us know if you succeed.

If you go in Web User Interface, /FIREWALL/IPTABLES/ the first table shown there is the FILTER table. The drop down menu will show all the chains of that table. In CUSTOMINPUT you should see the rule I suggested (after you create it) and the log of how many packets have transversed it. You can also see the LOCATIONBLOCK chain as well. Give it a try, after a while it starts to make sense :slight_smile:

Read this.
Location block is first
So creating location groups is the easiest way.
And not use location block

Thank you. I have forgotten that.

Now I get it. If I check the order of chains in the filter table, LOCATIONBLOCK comes after CUSTOMINPUT, which I assumed it was the chain where the rule OP wanted to create would end up (wrong!). Well, it turns out that such a rule ends up in INPUTFW and FORWARDFW which are way below LOCATIONBLOCK.

1 Like

Shaun, thank you for this info. I’m reading up on it and will give it a try. Really appreciate the help!

cfusco, thank you for your reply. As I’m reading things, it appears the Location Block will still “override” an entry of this type. Going to give the Location Groups thing a try. Appreciate the help!

Shaun, just as a sanity check to make sure I’m understanding this… does the below sound correct to you? Seems like it will work the way I want it to, just checking…

  1. Turn off Location Block
  2. Create a Location Group of countries I wish to block, with a source of Any and a destination of Green.
  3. Create a rule to pass my desired port (24554) from source of Any to my specific green host/port.
  4. Make sure the above rule for port 24554 is listed FIRST in my rules list.
  5. Make another rule to DROP all from source Location Group (step 2) to destination Green, and have this as the second listed rule.
  6. Add any other rules for specific ports/port forwarding as needed, below the above two rules.

My understanding is that the first rule will allow anyone/anywhere to access my Green host on port 24554, and the second rule will stop all other access from designated (Location Group) countries. Then the remaining rules will allow access to other ports, but only from unblocked countries. Seem right? Thank you.

not @hvacguy however to me what you posted looks exactly right.