Reputation: 83
google cloud - block incoming connections
Is there a way to block incoming connections to Google Cloud from a specific set of IP addresses?
Our company website is hosted on GCE and I'd like to block few IP addresses that are currently scraping our site. I couldn't find any options in the "Firewall" section in the GCE console.
Thanks! Alex
Upvotes: 6
Views: 4731
Answers (3)
Reputation: 4136
On Linux, the most efficient way to block is by using an ipset, which is quicker than using iptables.
Commands:
sudo ipset -N BLOCK nethash
sudo ipset -q -A BLOCK 35.192.0.0/12
sudo ipset -q -A BLOCK 35.208.0.0/12
sudo ipset -q -A BLOCK 35.240.0.0/13
sudo ipset -q -A BLOCK 35.224.0.0/12
sudo ipset -q -A BLOCK 35.184.0.0/13
sudo iptables -A INPUT -m set --match-set BLOCK src -j DROP
- The first line creates a list of IPs and ranges in ipset, called BLOCK
- The next five lines block Google Cloud IP ranges to the BLOCK ipset
- The last line tells iptables to block any requests to or from any address that matches the BLOCK ipset
As far as I know those are Google Cloud's IP ranges as of writing. You can check them by WHOIS-ing them; though I think the only changes that are likely to happen is more IPs are added rather than current ones are droppe.
Upvotes: 1
Reputation: 1757
It is now possible to block incoming traffic from a specific set of IP addresses under VPC network > Firewall rules in the Google Cloud Platform console. This means you can apply the one blocking rule to all your GCE instances that are on the same VPC network.
Here's the blocking rule settings I used to block all traffic from a specific set of IP addresses:
Priority: 900 (needs to be a lower number than your allow rules so it overrides your allow rules when matching a blocked IP address)
Direction: Ingress
Action on match: Deny
Source filters: IP ranges: A comma separated list of IP addresses or IP ranges
Protocols and ports: Deny all
Enforcement: Enabled
Upvotes: 1
Reputation: 719
The firewall in GCE is used to 'allow' incoming traffic and unfortunately cannot be used to create 'block' rules. In summary, almost everything is blocked by default and you need to create rules to allow incoming traffic.
Instead, you can use the firewall on the VM itself. For example, if you're running a Linux instance you can look into iptables. Here's a Wikipedia article on it, but I highly recommend you go through the man pages for details. This way you can create a rule to block one particular IP address for example.
Upvotes: 4
Related Questions
- Google Cloud Firewall: is there an option to filter outside Google traffic
- Restrict network activity in Google Cloud Run
- Securing GCP compute instance
- GCP open firewall only to cloud shell
- Google Cloud firewall
- Deny outgoing traffic on Google Cloud VM, but allow access to Cloud Storage
- Google Compute Engine Firewall
- Is there some workaround to create “deny” rules for Google Cloud Firewall
- Google App Engine Firewall - block all access except from GCP (including cloud functions)?
- Google Cloud Platform Firewall Rules PORT