Redirecting traffic per country IPs

SYSTEM INFORMATION
OS type and version Debian Linux 12
Webmin version 2.202
Virtualmin version 7.30.2 Pro
Webserver version Apache

Hello,

I would like to allow/disallow traffic based on country IPs.

I have read the basics explained on the forum topic: Virtualmin IP Access control and I would use a list from: https://www.ipdeny.com/

However it is unclear if it will control all the server traffic (what I’m looking for) or the only the traffic to the “Webmin server” (I’m not sure what this mean, this server runs only Virtualmin+hosts).

PLUS, I would like to use something a little more sophisticated.

  1. I would like to redirect the allowed IPs list to access normally to the server/website. (the easiest)
  2. All disallowed traffic should be redirect to a page (You are not allowed to… if this happen by mistake contact your admin…)
  3. Have fail2ban to ban IPs if they ping repeatedly the page.

I’m sure this may look like overdoing for some, but for some reasons I feel this is the right way to deal with users in 2024 (lot are using VPN and don’t know when it is active or not).

Any ideas and feedback will be appreciated.
Bernard

1 Like

I am glad you are aware that many people now use a VPN routinely to bypass such restrictions. so who exactly do you think you can block? without blocking those who you would like to let through. I would be very cautious about trusting any list of IP to block. (most lists are short term - after all there is only a small finite number of IPs in the world)

Sending most web traffic to a 404 page is the norm and pretty adequate.

The Webmin IP access control restricts Webmin access based on IP address. Nothing else. Webmin is not your web server, it is not your mail server, it isn’t anything other than Webmin (and Virtualmin, the UI, but none of the services Virtualmin manages, since none of the services Virtualmin manages run under Webmin’s web server).

Csf firewall can block by geo-ip but if you want different content based on IP then you need to use a CMS like wordpress with a plugin that can handle content for different locations.

Thanks for your reply.
While I understand the cons of such filtering, there are several reasons to have it implemented.
This I don’t feel it is useful to open a debate about this here.

Thank you Joe for this clarification.

I’m sure the team has plenty of things to do, but I suggest (is there a place for this ?) to edit and clarify the help text at: /webmin/edit_access.cgi?xnavigation=1

The Webmin **server** can be configured to deny or allow access only from certain IP addresses using this form .../... You should **limit access to your server** to trusted addresses .../...

Happy end of the year holidays.

Webmin runs under an application server called miniserv, and this configuration applies to that server. The help text is accurate, but I guess it could just say “Webmin”.

1 Like

Thank you.
Still studying your Config Server Firewall (CSF) suggestion.

(documenting for the next guy)
I went at: ConfigServer Security and Firewall (csf) – ConfigServer Services and found in the readme.txt that there is a webmin module. This module can be installed from Webmin > Webmin Configuration > Webmin Modules >

So I understand there is no issue to run it within or in parallel of my Debian12 Virtualmin server.
However I wonder about redundancy as I use FirewallID already (as well as fail2ban).

Any advises about using CSF and csfwebmin in such context ?

It’s still a Debian 12 system. Virtualmin is just a management UI.

You need to disable firewalld and fail2ban. There are several topics about that in the forum, including one just a day or two ago.

Thanks Joe,
(sorry for editing my previous reply while you were answering)
Will read more topics.

I am sure when you install CSF these are disabled automatically. But check the documentation to confirm as I am not 100%.

I did a test and thats correct both services are stopped.

1 Like

Thank you both for your precious feedback and test.

I will read more and certainly test CSF… But that’s already a different topic.

Happy end of the year holidays. :tada:

You too, there is some webmin docs on the module if you want to go further.

1 Like