Guy Rutenberg

Uncomplicated Firewall (ufw) is one of the greatest frontends to IPTables I’ve encountered. It is very simple to use and I just wish it was also available for Gentoo. Up until recently everything went smoothly for me and ufw, but we hit some rough waters when I’ve tried to block an IP range.

To block an ip or I’p range in ufw you should do

sudo ufw deny from 188.162.67.197/21

But here is the catch. Only the recent versions of ufw (which the version that comes with Ubuntu 8.04 isn’t one of them) support inserting new rules. When you add a rule it gets appended. So if you had a rule before that allows everyone to connect to your server on port 80, it also allows the IP range you’re trying to block, to connect to your machine.

As it’s impossible to foresee all the rules you might use, one has to resort to deleting all the rules he has to override, then re-add them so they will be after the rule that blocks the IP range. However I disliked the idea and looked for a simpler solution.

The easiest method I’ve found was to manully edit ufw‘s configurations:

sudo vim /var/lib/ufw/user.rules

And then move the rule I’ve added, which looks like this:

### tuple ### deny any any 0.0.0.0/0 any 188.162.67.197/21
-A ufw-user-input -s 188.162.67.197/21 -j DROP

above any other rules in the configuration file.

Afterward, you’ll have to restart ufw so it will reload its configurations.

sudo ufw disable
sudo ufw enable