How to Block Ports by Country in CSF

In addition to being able to manage traffic from a specific country or a list of countries, CSF allows you to manage access by country to specific ports. This can be useful if you need to ensure that a particular service is available globally (such as your web server on port 80) but want to restrict international access to services such as WHM/cPanel, SSH, or FTP.

You should note that all of the limitations on country-level filtering outlined in Part Two: How to Block Traffic by County in the CSF Firewall apply here as well. Specifically, some ISPs use non-geographic IP addresses, some web services and cloud-based tools may use servers outside the country the companies are based in, and proxy services and virtual private networks easily can mask a visitor’s actual geographic location.

Taken together, that means that some unwanted traffic could get through, and some desired traffic could be blocked under certain circumstances.

Pre-Flight Check

• This series assumes you have the ConfigServer Firewall (CSF) installed on your cPanel server, and you have access to WebHost Manager (WHM).
• If your managed cPanel server currently uses APF but you’d prefer CSF, contact Heroic Support® and request a switch. There is no charge, it typically takes only a few minutes, and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

If you have not already done so, back up the current firewall configuration before making any changes.

In WebHost Manager, locate and select ConfigServer Security & Firewall under the Plugins section in the left menu. You also can begin typing “fire” into the search field at the top left to narrow down the options, then click on the Firewall Configuration button to open the configuration file.

Blocking Access to Specific Ports by Country

Restricting access by port to IP addresses originating in a specific country or countries can be an effective way to help minimize the negative performance impact that country-level blocking can bring.

That’s because the smaller the CIDR (Classless Inter-Domain Routing) range against which each IP making an incoming request is checked, and the fewer requests on that port (SSH on port 22 and FTP on port 21 are likely to see far less traffic than the website itself on port 80), the fewer the resources the firewall checks should require.

In this case, only incoming traffic on the specified port or portswill checked against the CIDR range(s) for the blocked country code(s).

If you wish to deny access to several countries or wish to allow access to a port for only a single country, a better option may be to instead allow access only to that country. Feel free to skip ahead to Allow access to specific ports by country below to learn how to do that.

In this example, we’re blocking access to the standard FTP port, 21, to IP addresses originating in Belgium.

Step #1: Specify the Country or Countries to be Denied

1. Scroll down to the Country Code Lists and Settings section and add the country code to CC_DENY_PORTS. Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at Wikipedia.
2. List the port that will be blocked in the specified country in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields.

Here we’ve specified that traffic originating from Belgium is not allowed to connect on the standard FTP port, 21:

Step #2: Save Your Changes and Restart the Firewall

1. Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2. On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.

By defining a country in CC_DENY_PORTS and a port in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields, we’ve ensured that the port will remain open to any visitor with valid credentials so long as their IP address does not originate from the specified country.

Allowing Access to Specific Ports by Country

Just as you can deny incoming traffic by port to a specific country or countries, you also can choose to allowing incoming traffic by port to only a specific country or countries. Generally, this should be a better option than attempting to deny port access to a long list of countries because the firewall be working with a smaller CIDR range against which each incoming request must be checked.

To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must:

• close the ports in the firewall
• define the country code allowed to connect on those blocked ports
• specify the blocked ports to be opened for the specified country

In this example, we’re restricting access to the standard FTP port, 21, to IP addresses based in Germany.

Step #1: Close the Ports in the Firewall

On the Firewall Configuration page, scroll down to the IPv4 Port Settings section, and remove the desired port number from the TCP_IN and UDP_IN (if present) fields.
Here, we’ve removed port 21 from the allowed incoming IPV4 ports, effectively blocking external access to the port:

Step #2: Specify the Country or Countries to be Allowed

Scroll down to the Country Code Lists and Settings section and add the country code to CC_ALLOW_PORTS.

Here we’ve specified that traffic originating from Germany is allowed to connect on ports which have been otherwise closed in the firewall (we’ll define the specific ports for this allow in the next step):

Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

Step #3: Specify the Closed Ports to be Allowed to the Designated Country

Just below the CC_ALLOW_PORTS field, you’ll see CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.

We’ll add the port to open to the country (or countries) specified in CC_ALLOW_PORTS here, in this case, port 21:

Step #4: Save Your Changes and Restart the Firewall

1. Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2. On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.

Now that we’ve closed the standard FTP port in the firewall’s IPV4 Port Settings, no visitor will be able connect to port 21 unless their IP address originates from Germany. At the same time, the setting applies only to port 21 and any visitor, regardless of geographic location, still can view the website or connect to any port open in the firewall.

Next Steps

See Part Five: Basic DDoS Mitigation with CSF