Firewall is a standard security system for operating systems on which ISPmanager is installed:
Debian/CentOS — iptables
ISPmanager firewall can filter only incoming traffic.
Adding firewall rules
Debian/CentOS: when starting ISPmanager for the first time, the following chains will be created in iptables/ip6tables:
ispmgr_deny_ip — contains denied IP addresses
ispmgr_allow_ip — contains allowed IP addresses
ispmgr_allow_sub — contains allowed subnets
ispmgr_deny_sub — contains denied subnets
These chains are added to the end of the INPUT table in the order as they are described.
Parameters that are added into the chains manually can be incorrectly applied or modified in ISPmanager.
The rules described in the ISPmanager firewall will be used to filter network traffic only after the user rules that were described prior to ISPmanager installation.
If you configure the firewall manually, all the changes made in the "Firewall" module may cause unexpected behavior of the firewall of your operating system.
ISPmanager will not allow adding firewall rules that may result in losing control over your server. For example:
you cannot block the IP address from which you have connected;
you cannot block the network, which contains the IP address from which you have connected, unless there is an allow rule for your address;
you cannot create a deny rule for any port for any IP address of a server if there are no allow rules for that server.
Parameters are added into the file mgr5/etc/ispmgr.conf.
Option FirewallCheckAccess — enables to add denying firewall rules regardless the module limits.
Path to the rule file
Run the script /etc/network/if-up.d/ispmgrfw
Block by country
The built-in firewall module can be used to block access to users from certain countries. The user's country is determined by GeoIP databases. The module blocks all networks, which, according to the GeoIP databases, belong to the selected countries. When maximum protection is enabled, all networks in all countries will be blocked. Read more in Configuring firewall rules.
To see the list of blocked networks, connect to the server with ISPmanager via SSH and run the query:
Blocking countries is not available in the OpenVZ virtualization environment.