I am trying to limit access to a FreePBX server so that only North American ip addresses can reach it. I would like to accomplish this with a whitelist and blacklist ipset and then I would add something like:
-A INPUT -m set --match-set whitelist src -j ACCEPT
-A INPUT -m set --match-set blacklist src -j DROP
to the Firewall Advanced Custom Rules.
I noticed that FreePBX already uses ipset for the Let’s Encrypt rules.
Ideally I could piggy back off of this to add my own aditional ip sets.
The server has a dedicated WAN connection. Usually I rely on FreePBX’s responsive firewall and it hasn’t failed me yet. This particular client doesn’t like seeing the failed register messages in the logs. I’ve explained to him that he doesn’t need to be scared since the responsive firewall will block those IPs after a while.
I was curious to see if there was a way to implement ipsets. Clearly there is since the Let’s Encrypt rules seem to be applied this way.
(Disclaimer) I would not suggest permitting global access to your server.
You can create ipsets allowing only US addresses, and only allow those addresses in. If your Freepbx server is running nftables, here is a link to a video describing the process for SSH. You can just change the port number to make it apply to freepbx.