Hello Trent,

Here is some more info as suggested.As you will probably see I have made a mess of things with various other commands.

I want to be able to completely block the mentioned ip address from connecting to my computer and also if sensible,block ports from 1000-65535.




peter@peter-G31M-ES2L ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   DENY IN     119.235.255.158
1:65530/tcp                DENY IN     Anywhere
1000:1015/tcp              ALLOW IN    Anywhere
1000:65535/tcp             DENY IN     Anywhere
1:65530/tcp (v6)           DENY IN     Anywhere (v6)
1000:1015/tcp (v6)         ALLOW IN    Anywhere (v6)
1000:65535/tcp (v6)        DENY IN     Anywhere (v6)




peter@peter-G31M-ES2L ~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon Aug  7 14:57:44 2017
*filter
:INPUT DROP [100:3000]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [27:1380]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[88866:12844726] -A INPUT -j ufw-before-logging-input
[88866:12844726] -A INPUT -j ufw-before-input
[526:71520] -A INPUT -j ufw-after-input
[100:3000] -A INPUT -j ufw-after-logging-input
[100:3000] -A INPUT -j ufw-reject-input
[100:3000] -A INPUT -j ufw-track-input
[0:0] -A FORWARD -j ufw-before-logging-forward
[0:0] -A FORWARD -j ufw-before-forward
[0:0] -A FORWARD -j ufw-after-forward
[0:0] -A FORWARD -j ufw-after-logging-forward
[0:0] -A FORWARD -j ufw-reject-forward
[0:0] -A FORWARD -j ufw-track-forward
[88779:5942988] -A OUTPUT -j ufw-before-logging-output
[88779:5942988] -A OUTPUT -j ufw-before-output
[2089:173755] -A OUTPUT -j ufw-after-output
[2089:173755] -A OUTPUT -j ufw-after-logging-output
[2089:173755] -A OUTPUT -j ufw-reject-output
[2089:173755] -A OUTPUT -j ufw-track-output
[0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
[2:680] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
[424:67840] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[100:3000] -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-forward -j ufw-user-forward
[2825:233955] -A ufw-before-input -i lo -j ACCEPT
[85438:12528691] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
[3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[600:80083] -A ufw-before-input -j ufw-not-local
[74:8563] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
[526:71520] -A ufw-before-input -j ufw-user-input
[2825:233955] -A ufw-before-output -o lo -j ACCEPT
[83865:5535278] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2089:173755] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
[3:1997] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
[0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[174:11563] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[426:68520] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[426:68520] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[1409:84540] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
[653:87835] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[0:0] -A ufw-user-input -s 119.235.255.158/32 -j DROP
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1:65530 -j DROP
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:1015 -j ACCEPT
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:65535 -j DROP
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Aug  7 14:57:44 2017





regards Peter


On 07/08/17 13:14, Trent W. Buck wrote:

Hi Peter,

Peter Wolf via luv-beginners wrote:
I am trying to block ip address with ufw.I have used the command

     sudo ufw deny from xxx.xxx.xxx.xxx to any

According to tcptrack the ip is still getting a connection.
I haven't used ufw in a while, but first check if it is turned on.

     sudo ufw enable

You can also run some diagnostic commands:

     sudo ufw status
     sudo ufw status verbose
     sudo ufw show user-rules

These commands come from the system documentation ("man ufw"),
also available here:

     https://manpages.debian.org/stretch/ufw/ufw.8.en.html
     http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html

Another obvious thing to check is if to and from are backwards.
Try both:

     sudo ufw deny from A.B.C.D
     sudo ufw deny to   A.B.C.D

Under the hood, ufw is a wrapper around iptables/netfilter
("iptables" is the userspace part, "netfilter" is the kernel part).

I can read the raw iptables rules better than ufw rules.
If you attach them, I can take a look for you.
This will print out the IPv6 rules in a format I can understand:

     sudo iptables-save -c


On 07/08/17 13:14, Trent W. Buck wrote:
Hi Peter,

Peter Wolf via luv-beginners wrote:

I am trying to block ip address with ufw.I have used the command

    sudo ufw deny from xxx.xxx.xxx.xxx to any

According to tcptrack the ip is still getting a connection.

I haven't used ufw in a while, but first check if it is turned on.

    sudo ufw enable

You can also run some diagnostic commands:

    sudo ufw status
    sudo ufw status verbose
    sudo ufw show user-rules

These commands come from the system documentation ("man ufw"),
also available here:

    https://manpages.debian.org/stretch/ufw/ufw.8.en.html
    http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html

Another obvious thing to check is if to and from are backwards.
Try both:

    sudo ufw deny from A.B.C.D
    sudo ufw deny to   A.B.C.D

Under the hood, ufw is a wrapper around iptables/netfilter
("iptables" is the userspace part, "netfilter" is the kernel part).

I can read the raw iptables rules better than ufw rules.
If you attach them, I can take a look for you.
This will print out the IPv6 rules in a format I can understand:

    sudo iptables-save -c