7 Aug
2017
7 Aug
'17
10:51 a.m.
Hello,
I am trying to block ip address with ufw.I have used the command
|sudo ufw deny from xxx.xxx.xxx.xxx to any|
|
|
|Unfortunately ,according to tcptrack the ip is still getting a
connection.Can someone show me how to block an ip address with ufw? I
have tried a lot of googling and have been unable to work it out.|
|
|
|
|
|
|
|regards Peter
|
7 Aug
7 Aug
1:14 p.m.
Hi Peter,
Peter Wolf via luv-beginners wrote:
I am trying to block ip address with ufw.I have used
the command
sudo ufw deny from xxx.xxx.xxx.xxx to any
According to tcptrack the ip is still getting a connection.
I haven't used ufw in a while, but first check if it is turned on.
sudo ufw enable
You can also run some diagnostic commands:
sudo ufw status
sudo ufw status verbose
sudo ufw show user-rules
These commands come from the system documentation ("man ufw"),
also available here:
https://manpages.debian.org/stretch/ufw/ufw.8.en.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
Another obvious thing to check is if to and from are backwards.
Try both:
sudo ufw deny from A.B.C.D
sudo ufw deny to A.B.C.D
Under the hood, ufw is a wrapper around iptables/netfilter
("iptables" is the userspace part, "netfilter" is the kernel part).
I can read the raw iptables rules better than ufw rules.
If you attach them, I can take a look for you.
This will print out the IPv6 rules in a format I can understand:
sudo iptables-save -c
3:10 p.m.
Hello Trent,
Here is some more info as suggested.As you will probably see I have made
a mess of things with various other commands.
I want to be able to completely block the mentioned ip address from
connecting to my computer and also if sensible,block ports from 1000-65535.
peter@peter-G31M-ES2L ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere DENY IN 119.235.255.158
1:65530/tcp DENY IN Anywhere
1000:1015/tcp ALLOW IN Anywhere
1000:65535/tcp DENY IN Anywhere
1:65530/tcp (v6) DENY IN Anywhere (v6)
1000:1015/tcp (v6) ALLOW IN Anywhere (v6)
1000:65535/tcp (v6) DENY IN Anywhere (v6)
peter@peter-G31M-ES2L ~ $ sudo iptables-save -c
# Generated by iptables-save v1.6.0 on Mon Aug 7 14:57:44 2017
*filter
:INPUT DROP [100:3000]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [27:1380]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[88866:12844726] -A INPUT -j ufw-before-logging-input
[88866:12844726] -A INPUT -j ufw-before-input
[526:71520] -A INPUT -j ufw-after-input
[100:3000] -A INPUT -j ufw-after-logging-input
[100:3000] -A INPUT -j ufw-reject-input
[100:3000] -A INPUT -j ufw-track-input
[0:0] -A FORWARD -j ufw-before-logging-forward
[0:0] -A FORWARD -j ufw-before-forward
[0:0] -A FORWARD -j ufw-after-forward
[0:0] -A FORWARD -j ufw-after-logging-forward
[0:0] -A FORWARD -j ufw-reject-forward
[0:0] -A FORWARD -j ufw-track-forward
[88779:5942988] -A OUTPUT -j ufw-before-logging-output
[88779:5942988] -A OUTPUT -j ufw-before-output
[2089:173755] -A OUTPUT -j ufw-after-output
[2089:173755] -A OUTPUT -j ufw-after-logging-output
[2089:173755] -A OUTPUT -j ufw-reject-output
[2089:173755] -A OUTPUT -j ufw-track-output
[0:0] -A ufw-after-input -p udp -m udp --dport 137 -j
ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j
ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 139 -j
ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p tcp -m tcp --dport 445 -j
ufw-skip-to-policy-input
[2:680] -A ufw-after-input -p udp -m udp --dport 67 -j
ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j
ufw-skip-to-policy-input
[424:67840] -A ufw-after-input -m addrtype --dst-type BROADCAST -j
ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst
10 -j LOG --log-prefix "[UFW BLOCK] "
[100:3000] -A ufw-after-logging-input -m limit --limit 3/min
--limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-forward -j ufw-user-forward
[2825:233955] -A ufw-before-input -i lo -j ACCEPT
[85438:12528691] -A ufw-before-input -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
[3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j
ufw-logging-deny
[3:1997] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[600:80083] -A ufw-before-input -j ufw-not-local
[74:8563] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport
5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport
1900 -j ACCEPT
[526:71520] -A ufw-before-input -j ufw-user-input
[2825:233955] -A ufw-before-output -o lo -j ACCEPT
[83865:5535278] -A ufw-before-output -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
[2089:173755] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[UFW ALLOW] "
[3:1997] -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit
--limit 3/min --limit-burst 10 -j RETURN
[0:0] -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG
--log-prefix "[UFW BLOCK] "
[0:0] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[174:11563] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[426:68520] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j
ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[426:68520] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[1409:84540] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j
ACCEPT
[653:87835] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[0:0] -A ufw-user-input -s 119.235.255.158/32 -j DROP
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1:65530 -j DROP
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:1015 -j ACCEPT
[0:0] -A ufw-user-input -p tcp -m multiport --dports 1000:65535 -j DROP
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW
LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Aug 7 14:57:44 2017
regards Peter
On 07/08/17 13:14, Trent W. Buck wrote:
Hi Peter,
Peter Wolf via luv-beginners wrote:
On 07/08/17 13:14, Trent W. Buck wrote:
I am trying to block ip address with ufw.I have
used the command
sudo ufw deny from xxx.xxx.xxx.xxx to any
According to tcptrack the ip is still getting a connection.
I haven't used ufw
in a while, but first check if it is turned on.
sudo ufw enable
You can also run some diagnostic commands:
sudo ufw status
sudo ufw status verbose
sudo ufw show user-rules
These commands come from the system documentation ("man ufw"),
also available here:
https://manpages.debian.org/stretch/ufw/ufw.8.en.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
Another obvious thing to check is if to and from are backwards.
Try both:
sudo ufw deny from A.B.C.D
sudo ufw deny to A.B.C.D
Under the hood, ufw is a wrapper around iptables/netfilter
("iptables" is the userspace part, "netfilter" is the kernel part).
I can read the raw iptables rules better than ufw rules.
If you attach them, I can take a look for you.
This will print out the IPv6 rules in a format I can understand:
sudo iptables-save -c
Hi Peter,
Peter Wolf via luv-beginners wrote:
I am trying to block ip address with ufw.I have
used the command
sudo ufw deny from xxx.xxx.xxx.xxx to any
According to tcptrack the ip is still getting a connection.
I haven't used ufw
in a while, but first check if it is turned on.
sudo ufw enable
You can also run some diagnostic commands:
sudo ufw status
sudo ufw status verbose
sudo ufw show user-rules
These commands come from the system documentation ("man ufw"),
also available here:
https://manpages.debian.org/stretch/ufw/ufw.8.en.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
Another obvious thing to check is if to and from are backwards.
Try both:
sudo ufw deny from A.B.C.D
sudo ufw deny to A.B.C.D
Under the hood, ufw is a wrapper around iptables/netfilter
("iptables" is the userspace part, "netfilter" is the kernel part).
I can read the raw iptables rules better than ufw rules.
If you attach them, I can take a look for you.
This will print out the IPv6 rules in a format I can understand:
sudo iptables-save -c
2062
days inactive
2062
days old
2 comments
2 participants
participants (2)
-
Peter Wolf -
Trent W. Buck