How to block egress trafic to China and APAC on GCP?

Question

On my GCP bill I have those lines:

1- Compute Engine     Network Inter Region Egress from EMEA to APAC
2- Compute Engine     Network Internet Egress from EMEA to APAC
3- Compute Engine     Network Internet Egress from EMEA to China

Q1. What's the difference between 1 and 2?

Q2. Does GCP provide an easy way to block egress traffic to APAC or China without needing to create firewall rule with all China IPs? As done here http://www.parkansky.com/china.htm

Thanks a lot

Answer 1

If you're running a Debian/Ubuntu instance:

Prequisites:

sudo apt install -y locales
sudo locale-gen en_US
sudo locale-gen en_US.UTF-8
sudo su
/usr/bin/perl -MCPAN -e'install Text::CSV_XS'
exit
sudo localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
sudo update-locale LC_ALL=en_US.UTF-8
sudo apt install -y netfilter-persistent iptables-persistent ipset

The locale stuff is in case you're getting locale errors. Use en_CA if you're in Canada (instead of the current en_US), or leave en_US if you're in the United States, or change it to whatever language/locale you need.

If a dialogue box/screen pops up, it asks if you want to save rules. Save current ipv4 rules, yes, save current ipv6 rules, no.

Disable ipv6 with sudo nano /etc/sysctl.conf and paste at the very bottom:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Save and exit (ctrl + x then enter, and then ctrl +o).

Block Australia and China Egress:
If you need to block other websites, the full list of countries is found here.

In the home directory (cd ~), nano block-egress.sh and paste the following:

#!/bin/bash

echo "### BLOCKING AUSTRALIA EGRESS ###"
echo

ipset -N block-australia hash:net -exist
ipset -F block-australia

if [ -f "au.zone" ]
then
    rm au.zone
fi

curl -o au.zone -sSL "https://www.ipdeny.com/ipblocks/data/countries/au.zone"

if [ $? -eq 0 ]
then
    echo "Download Finished!"
fi

echo

echo -n "Adding Networks to ipset ..."
for net in `cat au.zone`
do
    ipset -A block-australia $net
done

echo "Done"

echo "### BLOCKING CHINA EGRESS ###"
echo

ipset -N block-china hash:net -exist
ipset -F block-china

if [ -f "cn.zone" ]
then
    rm cn.zone
fi

curl -o cn.zone -sSL "https://www.ipdeny.com/ipblocks/data/countries/cn.zone"

if [ $? -eq 0 ]
then
    echo "Download Finished!"
fi

echo

echo -n "Adding Networks to ipset ..."
for net in `cat cn.zone`
do
    ipset -A block-china $net
done

echo "Done"

echo "### SAVING IPSET RULES ###"
echo

ipset save > /etc/iptables/ipset

echo "Done"

Save, exit, and then make script executable:

chmod +x block-egress.sh

Create blank ipset file (sudo mkdir /etc/iptables first if you get the warning that the folder does not exist):

sudo nano /etc/iptables/ipset 

And save and exit.

Run the scripts:

sudo ./block-egress.sh

Add the iptables rules:

sudo iptables -I OUTPUT -m set --match-set block-australia src -j DROP && sudo iptables -I OUTPUT -m set --match-set block-china src -j DROP

Check with sudo iptables -L to make sure the rules are there; sudo iptables -L -v for more detailed rules. sudo iptables -S will list the rules in the format that’s like the rules.v4 file.

Then save all the current rules to the rules.v4 file (must run as root; I had permission errors if I didn't):

sudo su
iptables-save > /etc/iptables/rules.v4
exit

*Note: cat /etc/iptables/rules.v4 will list the rules in the rules.v4 file

Then make the rules persistent after reboot:

sudo service netfilter-persistent start
sudo service netfilter-persistent save
sudo service netfilter-persistent reload

Make ipset persistent:

sudo nano /etc/systemd/system/ipset-persistent.service

Paste the following:

[Unit]
Description=ipset persistent configuration
Before=network.target

# ipset sets should be loaded before iptables
# Because creating iptables rules with names of non-existent sets is not possible
Before=netfilter-persistent.service
Before=ufw.service

ConditionFileNotEmpty=/etc/iptables/ipset

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ipset restore -exist -file /etc/iptables/ipset
# Uncomment to save changed sets on reboot
# ExecStop=/sbin/ipset save -file /etc/iptables/ipset
ExecStop=/sbin/ipset flush
ExecStopPost=/sbin/ipset destroy

[Install]
WantedBy=multi-user.target

RequiredBy=netfilter-persistent.service
RequiredBy=ufw.service

*Note: Unless you first execute ipset save > /etc/iptables/ipset (which is included in the script, block-egress.sh) then there will be no /etc/iptables/ipset file and the service will be inactive (dead).

Save, and then:

sudo systemctl daemon-reload
sudo systemctl enable ipset-persistent.service
sudo systemctl start ipset-persistent.service

Add cron job of ipset script to ipdate CIDR ip addresses once a day at 10 pm (or whatever you want) to sudo crontab -e (changing $USER to your username):

0 22 * * * /home/$USER/block-egress.sh

Save, and then reboot (sudo reboot) and check iptables rules to make sure the new rules are still there.

If you want to check cron that has run (at the time you set it):

grep CRON /var/log/syslog

If iptables needs to be reloaded for some reason:

sudo iptables-restore < /etc/iptables/rules.v4

Answer 2

The easiest way I've found is to use the geoip module for IPTables. That allows you to whitelist countries.

If it's an important service try spinning up an instance in the same region as your users to get the cheaper intra region egress. It also sounds like you have premium networking on, which uses inter region worm holes.

That said, users might still use the wrong server outside their region if your load balancers are properly configured.

I like premium egress for low bandwidth latency sensitive applications, and let the internet deal with heavy video egress.

See this guide on setting up IPTables and GeoIP

https://docs.rackspace.com/support/how-to/block-ip-range-from-countries-with-geoip-and-iptables/

Answer 3

1- Compute Engine Network Inter Region Egress from EMEA to APAC 2- Compute Engine Network Internet Egress from EMEA to APAC

Q1. What's the difference between 1 and 2?

The first line shows traffic that traveled across Google's internal backbone between regions. The second shows public Internet traffic that traveled between zones. Pricing is different for each type.

Does GCP provide an easy way to block egress traffic to APAC or China without needing to create firewall rule with all China IPs?

You have a number of options:

• Create firewall rules via the operating system's firewall
• Create firewall rules via Google Cloud Security Groups
• Create rules for Google Cloud Armor (this requires a load balancer)
• Install a smart software-based firewall that implements geolocation-based blocking policies.