Question

How to allow SSH connections only from my country on Cloud Firewalls?

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn’t understand what /8, /16, /24 means and how to use it

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

@edirpedro

The Cloud Firewall service doesn’t allow you to block requests from a specific country. You can allow an IP range, though unless you’re 100% sure that your country/ISP owns all IP’s in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it’s far easier to manage a whitelist then it is a large blacklist. It’s better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi @edirpedro

Depending on which country in Latin America (LACNIC) you’re located in, the list is a bit more extensive than that: https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_.2F8_blocks_to_the_Regional_Internet_Registries And that doesn’t tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this: 177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 191.0.0.0/8 200.0.0.0/8 201.0.0.0/8

There’s a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia: https://en.wikipedia.org/wiki/IPv4_subnetting_reference And in Spanish too: https://es.wikipedia.org/wiki/Máscara_de_red

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.