Overview

While trying to block all public IP addresses for the specific country, Kerio Control allows enabling GeoIP filter for incoming traffic. This filter helps you effectively stop malicious traffic and potential threats.

The GeoIP filter matches each IP address to its source country and displays the result in the Active Connections section. You can see any suspicious connections there and block all traffic from a given country.

Diagnosis

To display the countries associated with IP addresses in Active Connections, enable the Source Country and Destination Country columns in Active Connections:

1. In the administration interface, go to Status > Active Connections.
2. Right-click the table header.
3. In the context menu, scroll down to Columns and select Source Country and Destination Country.

From now on, the source and destination country appear for all active connections with a nonlocal IP address.

Note: In case the Source Country and Destination Country columns are completely blank, then, you can refer to the Unable to see Source and Destination Country article to fix that.

Solution

To block all incoming connections from a specific country:

1. In the administration interface, go to Security Settings > GeoIP Filter.
2. Verify that the Block incoming traffic from the following countries option is enabled.
3. Click Add.
4. In the Select Items dialog box, select the countries you want to block.
   
5. Click OK.
6. Click Apply.

From now on, Kerio Control blocks all incoming connections from the selected countries. Outgoing connections are allowed.

 

Whitelist Specific Addresses from Blocked Country

The GeoIP filter in Kerio Control operates with the highest priority, meaning it takes precedence over all traffic rules, content filters, and other security settings. If a country is blocked using the GeoIP filter, all IP addresses from that country will be denied access, and it is not possible to create a whitelist using traffic rules or content filtering.

Therefore, in order to implement your GeoIP in whitelist in Kerio Control 9.4.5 p1 and later, you would need to follow the below steps (proof of concept for denying US traffic)

1. Define your GeoIP address groups:
   
2. Define as well your desired IP whitelist group, so that you wind up with something like this:
   
3. Go to Security Settings > GeoIP Filter and remove the US from the list (or disable the GeoIP flag if you don't need other countries fully blocked)
   
4. Navigate to Configuration > Traffic Rules, and configure 2 traffic rules:
   
   
   1. A whitelist rule sitting at the top - this is where you would input your whitelist IP address group as the Source, with Destination Firewall and Action ALLOW
   2. A block rule below it, where you would input the GeoIP address group for US as the Source,
   3. Source, with Destination Firewall and Action DROP or DENY

This way, all US traffic will be blocked, except for the IP addresses that you designated in the whitelist.

Testing

To verify which packets are dropped by Kerio Control, use the Debug log:

1. In the administration interface, go to Logs > Debug.
2. Right-click to the log window.
3. In the context menu, click Messages.
4. In the Logging Messages dialog box, select GeoIP and Packets dropped for some reason.
   
5. Click OK.

Important: disable Debug options once the verification is completed so it won't affect overall performance.