Reading Time: 5 minutes

What-is-IP-filtering

IP filtering has become a common practice in today’s era. For better or worse, it is a tedious process and has various limitations for businesses that use this technique as a primary solution for determining each user and screening out fraudulent behaviors.

However, the process of filtering IP addresses is appropriate and effective in multiple situations. A common example is streaming services like Netflix restrict user access to specific content titles based on their IP addresses.

This means that if you live in the United States, then you cannot access Netflix Korea or Netflix Japan due to IP filtering. Similarly, watching American Netflix in UK, China, Canada, Russia, and more is equally impossible.

Moreover, IT professionals sometimes also want to block a specific subset of online traffic to their website to allow a certain list of IPs only or because of geo-location.

While all this seems quite interesting, we’d like to tell you more about IP filtering. So, in the guide, you’ll learn what it is, its common techniques, rules, and how to use it. Let’s get started!


What Is IP Filtering?

IP filtering allows you to control what IP traffic would be allowed inside and out of your network. It allows you to define rules and then filter IP packets based on these set rules.

In other words, IP filtering is a procedure that determines the IP packets that will be processed and discarded/deleted. You can apply multiple criteria for specifying which data you want to filters. Here are a few examples:

  • Type of datagram: ICMP Echo Request, SYN/ACK, data, and more.
  • Type of protocol: UDP, TCP, ICMP, and more.
  • Source and destination address of datagram: where it came from and where it’s going to.
  • Socket number: (for UDP/TCP)

It’s quite significant to acknowledge that IP address filtering is a network layer facility. It doesn’t understand anything about the application using network connections, but the connections themselves.


Common IP Filtering Techniques

There are three common types of IP filtering techniques. Let’s check them out below:

1. Route filtering:

In route filtering, some routes are not announced or considered for inclusion in the local database. Filters can be applied on routers, before output filtering or after input filtering.

There are multiple reasons for route filtering:

  • This kind of filtering ensures that the usage of RFC 1918 (private address space) doesn’t leak into the global internet. Both these prefixes require being blocked in input and output filtering by the network.
  • Announcing routes that are non-local to a neighbor when a website is multihomed dissimilar from the one it was known from amounts to advertising the readiness to serve for transit. One can’t avoid this by applying output filtering on routes like these.
  • An internet service provider typically performs input filtering on routes discovered from a consumer for restricting it to the IP actually assigned to that consumer. This way, IP address hijacking becomes quite difficult.

In a few cases, there is an insufficient amount of main memory in routers to carry the entire global BGP table. Through input filtering on prefix length, on the AS count, or a combination of both, the local route database is confined to a subset of the global table. However, this practice is not recommended.

IPv4 prefixes are also being blocked by some networks that are held at the Regional Internet Registries (RIR) and aren’t delegated to any network. This technique requires a regular update to the router filter. But, it’s best to not perform this kind of router filtering unless you have a reliable and automated tool for checking the RIR databases.

2. Firewall filtering:

A firewall is a software, device, or multiple devices, developed to refuse or enable access network transmission on the basis of a set of rules to secure networks from unauthorized access while allowing legitimate traffic to pass. Various routers passing data among networks contain components of a firewall and can perform necessary routing functions.

Following are the basic kinds of firewalls:

  • Application layer firewalls: This kind of firewall works on the application level of the IP/TCP stack. It intercepts all IP packets traveling to an application or from it and drops unwanted traffic outside from reaching the safeguarded machines/devices without any acknowledgment to the sender. The inspection criteria additionally add extra latency to the forwarding of packets to their destination.
  • Proxy services: These run on dedicated hardware devices or on general-purpose machines as software, responding to input packets while blocking the others. A compromised internal system, in this case, wouldn’t result in a security breach, however, techniques like IP spoofing could transfer packets to another network.
  • Packet filters or network layer firewalls: While operating at the TCP/IP protocol stack, this firewall doesn’t allow packets to pass through it unless they match the rules set by default or administrator. Firewalls these days can filter traffic based on attributes of packets such as source port, source and destination IP address, etc. They can also filter on the basis of TTL values, protocols, and the originator’s netblock.
  • Network address translation (NAT): As defined by RFC 1918, NAT enables hiding safeguarded devices’ IP addresses by numbering them with the addresses present in the private address range.
  • Mandatory access control (MAC) sandboxing or filtering: It secures vulnerable services by permitting or denying access on the basis of the MAC addresses of specific devices that are authorized to connect to a certain network.

3. Email filtering:

This type of IP filtering involves the automatic and manual processing of incoming emails, organizing them into pre-set criteria, and removing viruses and spam. This filter enables only the clean messages to be delivered to the user in its inbox.

A few of these filters can also edit messages, like deactivating the malicious links before users actually click on them. A few organizations inspect all outgoing mails for monitoring if their employees are complying with the requirements of the law.

Email filters work through various methods, such as matching a keyword, typical expression, or sender’s email ID. Other advanced solutions use document classification techniques based on statistics, IP reputation, and email analysis algorithms for preventing messages from reaching secure mailboxes.

This filtering type can be a problem when a blacklisted IP address is transferred to another network. The network may have blocked receiving mail traffic from blacklisted IPs and would require contacting various blacklist maintainers for delisting the address.


TCP/IP Route Filter Rules

For accessing the TCP/IP route filter editor window, click on Main TCP/IP Filtering’s dialog box > choose the button of router filters. The rules of route filtering are applied in the device globally without being associated with any interface. But, they can be restricted to an interface by using the to and from modifiers in the rule.

Since the rules are specified prior to application, a device doesn’t reorder rule sets. They are applied in the order in which they are written. Using the VPN 5000 Manager, when various filter sets are chosen, they will be concatenated from first to last in the device.

A network wouldn’t be included in the routing table on input or output if it isn’t explicitly permitted by the rules. For allowing all the other network numbers not to be filtered, the final rule must be: permit 0.0.0.0.

As static and direct routes aren’t received through an interface and are configured in the device, they are always installed and cannot be filtered.

Rules previously specified using the Manager may be examined or edited through a command-line interface. Rules downloaded from the Manager are encrypted.

A set of rules created using the editor window of the TCP/IP Route Filter can be applied through the pull-down menus in the dialog box.

Basic IP Route Filter Syntax and Rules

Each comment line and IP address must include an action in the filter set, at the very least. These components together specify the filter rule that the machine/device later follows for sending and receiving network routing packets.

The lines in the router filter should initiate with permit/deny actions and a comment indicator: #

  • Lines beginning with permit specify that information from routing packets meeting all the conditions should be a part of the IP routing table.
  • Lines beginning with deny specify that information from packets meeting all the conditions shouldn’t be part of the IP routing table.
  • Lines beginning with # specify that the text present on the line is actually a comment and needs to be ignored.

Each line beginning with permit or deny should be followed by an IP address. This address can be specified in various ways.

  • Addresses can be indicated in dotted-decimal notation. If the rightmost components are 0, they are treated as wildcards.
  • A format that’s factorized can also be utilized where sets of components are substituted into IP addresses. These IP addresses are formatted as #.#.#.{#,#,…}. Factor sets are required to be at the address’s end. Any component present after the position of the factor set is assumed as 0.
  • Hexadecimal numbers can also be used to specify an IP address.

Addresses might have an optional field of /bits in the end. This indicates the number of bits, initiating with the most important, which will be considered by the instrument/device when the address is compared to the filter rule in a routing packet.

IP Route Filter Rule Options

Directions are usually specified by either both or by in and out. If a direction isn’t specified, the assumption is both.

  • Route filter rules signifying in are applied to routing packets only coming in the device.
  • Route filter rules signifying out are applied to routing packets only being sent from the device.
  • Route filter rules indicating both are applied to routing packets in both directions.

When and How To Use GeoIP Filtering

If you own a business in the United States, and there’s no reason for you to accept online communications from other countries across the globe, then the country-wide geoIP filtering makes sense. But, if you deal with customers abroad, then you need to think wisely about who you need to block.

Even if customer dealing isn’t the case, then you might be using an online service or software hosted outside the US, such as web hosting or webmail. So, you’d have to allow them to pass through your firewall as well.

However, there may be many countries that you’ve no actual reason to accept connections from. Through geoIP filtering, you can easily block nations having a track record of originating malicious internet traffic. Cutting off IPs from nations seems effective and hassle-free, but tweaking your geoIP settings is a smarter option.

You might only block IP or a list of IP addresses that are known to be malicious. But, if you do go ahead and block an entire country, then you can make some exceptions and create rules in your firewall that allow white-listed IPs to pass through your system.

This kind of tweaking can be quite helpful if your staff’s going abroad for business purposes. You can also temporarily unblock the country they’re visiting or whitelist their IP addresses.


FAQs – IP Filtering

IP filtering is better than having nothing. However, it has two issues: IPs can be spoofed. In case any internal instrument/machine is compromised, the malicious actor can use it as a proxy or jump host for attacking your system.

IPFilter or ipf is an open-source software package that offers NAT and firewall services for multiple operating systems like Unix. Darren Reed is the software maintainer and author. IPFilter is a stateful firewall supporting IPv4 and IPv6 protocols.

internet.com webopedia defines packet filtering as examining the incoming and outgoing IP packets to control access to a network, halting or letting them pass based on the source or destination IP address.


Conclusion

This ends our guide which informed you all the basics you need to know about IP filtering. While it might come with a few pitfalls, IP address filtering really is quite helpful in today’s era.

It blocks connections and saves you from malicious actors and links using its multiple filtering types and techniques. It also prevents blacklisted IP addresses from getting into your network and doing you any damage.

However, we must reiterate that when it comes to geoIP filtering, it’s always a better option to tweak your filter settings instead of blocking out all connections from abroad.

We hope you liked our IP filtering guide. Feel free to comment in case of any questions.