proposal.md 1.0 KB
Why
Both proxy servers should refuse to forward traffic to China-destined IPs. Since clients already access Chinese services directly (per the china-direct-bypass Surge rules), any China-bound traffic reaching the servers is either misconfigured or unwanted. Blocking it server-side adds a defense-in-depth layer and prevents the servers from being used to access domestic Chinese services.
What Changes
- Create a new Ansible role
geoblockthat downloads China IP CIDR lists and configures iptables to drop outbound traffic to those ranges - Apply the role to both relay and landing servers
- Set up a cron job to periodically refresh the IP list
Capabilities
New Capabilities
geoblock-cn: Server-side blocking of outbound connections to China IP ranges via iptables
Modified Capabilities
(none)
Impact
- New
roles/geoblock/Ansible role applied to all servers - iptables rules added on both servers blocking outbound to CN IP ranges
- Cron job for periodic IP list updates
site.ymlupdated to include the geoblock role