DigitalOcean

Report this

What is the reason for this report?
Question

How to allow SSH connections only from my country on Cloud Firewalls?

Posted on June 12, 2017
Firewall
Edir Pedro

By Edir Pedro

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn’t understand what /8, /16, /24 means and how to use it


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Jonathan Tittle
Jonathan Tittle
June 12, 2017

Accepted Answer

@edirpedro

The Cloud Firewall service doesn’t allow you to block requests from a specific country. You can allow an IP range, though unless you’re 100% sure that your country/ISP owns all IP’s in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it’s far easier to manage a whitelist then it is a large blacklist. It’s better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

0
Flamber Hansen
Flamber Hansen
June 12, 2017

Hi @edirpedro

Depending on which country in Latin America (LACNIC) you’re located in, the list is a bit more extensive than that: https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_.2F8_blocks_to_the_Regional_Internet_Registries And that doesn’t tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this: 177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 191.0.0.0/8 200.0.0.0/8 201.0.0.0/8

There’s a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia: https://en.wikipedia.org/wiki/IPv4_subnetting_reference And in Spanish too: https://es.wikipedia.org/wiki/Máscara_de_red

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.