Hello Trent, Here is some more info as suggested.As you will probably see I have made a mess of things with various other commands. I want to be able to completely block the mentioned ip address from connecting to my computer and also if sensible,block ports from 1000-65535. peter@peter-G31M-ES2L ~ $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- Anywhere DENY IN 119.235.255.158 1:65530/tcp DENY IN Anywhere 1000:1015/tcp ALLOW IN Anywhere 1000:65535/tcp DENY IN Anywhere 1:65530/tcp (v6) DENY IN Anywhere (v6) 1000:1015/tcp (v6) ALLOW IN Anywhere (v6) 1000:65535/tcp (v6) DENY IN Anywhere (v6) peter@peter-G31M-ES2L ~ $ sudo iptables-save -c # Generated by iptables-save v1.6.0 on Mon Aug 7 14:57:44 2017 *filter :INPUT DROP [100:3000] :FORWARD DROP [0:0] :OUTPUT ACCEPT [27:1380] :ufw-after-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-output - [0:0] :ufw-before-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-output - [0:0] :ufw-logging-allow - [0:0] :ufw-logging-deny - [0:0] :ufw-not-local - [0:0] :ufw-reject-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-track-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-input - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-output - [0:0] [88866:12844726] -A INPUT -j ufw-before-logging-input [88866:12844726] -A INPUT -j ufw-before-input [526:71520] -A INPUT -j ufw-after-input [100:3000] -A INPUT -j ufw-after-logging-input [100:3000] -A INPUT -j ufw-reject-input [100:3000] -A INPUT -j ufw-track-input [0:0] -A FORWARD -j ufw-before-logging-forward [0:0] -A FORWARD -j ufw-before-forward [0:0] -A FORWARD -j ufw-after-forward [0:0] -A FORWARD -j ufw-after-logging-forward [0:0] -A FORWARD -j ufw-reject-forward [0:0] -A FORWARD -j ufw-track-forward [88779:5942988] -A OUTPUT -j ufw-before-logging-output [88779:5942988] -A OUTPUT -j ufw-before-output [2089:173755] -A OUTPUT -j ufw-after-output [2089:173755] -A OUTPUT -j ufw-after-logging-output [2089:173755] -A OUTPUT -j ufw-reject-output [2089:173755] -A OUTPUT -j ufw-track-output [0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input [0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input [0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input [0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input [2:680] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input [0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input [424:67840] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input [0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " [100:3000] -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " [0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT [0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A ufw-before-forward -j ufw-user-forward [2825:233955] -A ufw-before-input -i lo -j ACCEPT [85438:12528691] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny [3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT [0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT [600:80083] -A ufw-before-input -j ufw-not-local [74:8563] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT [0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT [526:71520] -A ufw-before-input -j ufw-user-input [2825:233955] -A ufw-before-output -o lo -j ACCEPT [83865:5535278] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [2089:173755] -A ufw-before-output -j ufw-user-output [0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " [3:1997] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN [0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " [0:0] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN [174:11563] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN [426:68520] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN [0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny [0:0] -A ufw-not-local -j DROP [0:0] -A ufw-skip-to-policy-forward -j DROP [426:68520] -A ufw-skip-to-policy-input -j DROP [0:0] -A ufw-skip-to-policy-output -j ACCEPT [1409:84540] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT [653:87835] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT [0:0] -A ufw-user-input -s 119.235.255.158/32 -j DROP [0:0] -A ufw-user-input -p tcp -m multiport --dports 1:65530 -j DROP [0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:1015 -j ACCEPT [0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:65535 -j DROP [0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " [0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable [0:0] -A ufw-user-limit-accept -j ACCEPT COMMIT # Completed on Mon Aug 7 14:57:44 2017 regards Peter On 07/08/17 13:14, Trent W. Buck wrote:
Hi Peter,
Peter Wolf via luv-beginners wrote:
I am trying to block ip address with ufw.I have used the command
sudo ufw deny from xxx.xxx.xxx.xxx to any
According to tcptrack the ip is still getting a connection. I haven't used ufw in a while, but first check if it is turned on.
sudo ufw enable
You can also run some diagnostic commands:
sudo ufw status sudo ufw status verbose sudo ufw show user-rules
These commands come from the system documentation ("man ufw"), also available here:
https://manpages.debian.org/stretch/ufw/ufw.8.en.html http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
Another obvious thing to check is if to and from are backwards. Try both:
sudo ufw deny from A.B.C.D sudo ufw deny to A.B.C.D
Under the hood, ufw is a wrapper around iptables/netfilter ("iptables" is the userspace part, "netfilter" is the kernel part).
I can read the raw iptables rules better than ufw rules. If you attach them, I can take a look for you. This will print out the IPv6 rules in a format I can understand:
sudo iptables-save -c
On 07/08/17 13:14, Trent W. Buck wrote:
Hi Peter,
Peter Wolf via luv-beginners wrote:
I am trying to block ip address with ufw.I have used the command
sudo ufw deny from xxx.xxx.xxx.xxx to any
According to tcptrack the ip is still getting a connection. I haven't used ufw in a while, but first check if it is turned on.
sudo ufw enable
You can also run some diagnostic commands:
sudo ufw status sudo ufw status verbose sudo ufw show user-rules
These commands come from the system documentation ("man ufw"), also available here:
https://manpages.debian.org/stretch/ufw/ufw.8.en.html http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
Another obvious thing to check is if to and from are backwards. Try both:
sudo ufw deny from A.B.C.D sudo ufw deny to A.B.C.D
Under the hood, ufw is a wrapper around iptables/netfilter ("iptables" is the userspace part, "netfilter" is the kernel part).
I can read the raw iptables rules better than ufw rules. If you attach them, I can take a look for you. This will print out the IPv6 rules in a format I can understand:
sudo iptables-save -c