Block IP from accessing Google Compute Engine instance

6 comments

1. If you want to block a single IP address, but allow all other traffic, the simplest option is probably to use iptables on the host. The GCE firewall rules are designed to control which IP addresses can reach your instance, but allowing everything on the internet except one address would probably be annoying to write.

   To block a single IP address with iptables:

   iptables -A INPUT -s $IP_ADDRESS -j DROP
   

   or to just drop HTTP (but not HTTPS or other protocols):

   iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port 80 -j DROP
   

   Note that you’ll need to run the above command as root in either case.

2. By default all incoming traffic to GCE is blocked except for the ports and range of IPs that are allowed to have access. Allowing everything to connect except a specific IP or a range of IP addresses is not supported on GCE firewall. As a workaround, you can setup a Load Balancer and allow incoming traffic from the LB IP address only to the instance. You can have more information in this Help Center article.

3. Yes you can block it using Gcloud Firewall.

   Try creating the firewall rule from the command line or by logging into Google Cloud.

   Example:

   gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --deny tcp:80
   

   Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
   Same can be done to block other IP Ranges over tcp and udp.

   For more info check this: glcoud network config

4. Bitnami developer here

   If you want to block a certain IP, you can use iptables as it’s pointed in this post.

   Also, if you want to have your iptables rules active when you reboot your machine you have to do the following:

   sudo su
iptables-save > /opt/bitnami/iptables-rules
crontab -e

   Now edit the file and include this line at the end:

   @reboot /sbin/iptables-restore < /opt/bitnami/iptables-rules

   This way, in every boot, the system will load the iptables rules and apply them.

5. To block offending IP, there are some methods on different levels to do it. From performance perspective, generally :

   Network firewall > VM iptables > VM web server > VM application.

   1. Google cloud has build-in firewall that no cost.

   For example, this gcloud command create one firewall rule that can block 1 or more ips.

   gcloud compute --project=your-project-id firewall-rules create your-firewall-rule-name --direction=INGRESS --priority=900 --network=default --action=DENY --rules=all --source-ranges=ip1,ip2,ip3…
   

   Command parameters’ reference see here https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create

   You can also use Google cloud console or rest api to create it, but on console it’s not easy to input lots of ips.

   Build-in firewall’s current limit:

   • One project can create 100 firewall rules.
   • One firewall rule can block 256 ip sources.

   If there are 10 other firewall rules, you can block 90×256=23040 standalone ips, that is enough for general case.

   Note: Google cloud app engine firewall is separated from build-in firewall.

   2. Linux iptables

   See other answers.

   3. Web server

   Apache, Nginx can also block ip.

   4. Application

   Not recommended block ip here. But application can help analysis which ip need to block, for example login failed many times.

6. If you want your system to automatically block all bad ip addresses in the GCP Firewall you can check out the Gatekeeper for Google Cloud Firewall.
   It analyses your network connections and WordPress/Apache logs dynamically and creates approprate rules to ward off DoS and DDoS attacks as well as spying bots.

Comments are closed.