Uncomplicated Firewall (ufw) is one of the greatest frontends to IPTables I’ve encountered. It is very simple to use and I just wish it was also available for Gentoo. Up until recently everything went smoothly for me and ufw, but we hit some rough waters when I’ve tried to block an IP range.
To block an ip or I’p range in ufw you should do
sudo ufw deny from 188.162.67.197/21 |
But here is the catch. Only the recent versions of ufw (which the version that comes with Ubuntu 8.04 isn’t one of them) support inserting new rules. When you add a rule it gets appended. So if you had a rule before that allows everyone to connect to your server on port 80, it also allows the IP range you’re trying to block, to connect to your machine.
As it’s impossible to foresee all the rules you might use, one has to resort to deleting all the rules he has to override, then re-add them so they will be after the rule that blocks the IP range. However I disliked the idea and looked for a simpler solution.
The easiest method I’ve found was to manully edit ufw‘s configurations:
sudo vim /var/lib/ufw/user.rules |
And then move the rule I’ve added, which looks like this:
### tuple ### deny any any 0.0.0.0/0 any 188.162.67.197/21 -A ufw-user-input -s 188.162.67.197/21 -j DROP |
above any other rules in the configuration file.
Afterward, you’ll have to restart ufw so it will reload its configurations.
sudo ufw disable sudo ufw enable |
good post. I had to write my own script to delete and then re-append all my rules.
You can perform the following command in ufw.
ufw insert 1 deny from 1.2.3.4
and it will be inserted at the beginning of the list. The rules are numbered, so you can see them by typing
ufw status numbered
and also delete a numbered rules with
ufw delete 1
No need to delete everything and reinput
I am writing a perl program that simply deletes all of the entries in the numbered status output .. then re-adds all of the IP ranges from a list of countries I dont’ want spamming my web page with bullshit., then adds the allow rules I want to keep .. put it on a cronjob that runs once a week and dynamically loads the country IP ranges from http://www.nirsoft.net/countryip/index.html It’s dynamic because IP addresses change and I don’t want the headaches of keeping a banned range after it expires..
This post helped in understanding how to enter the command so it captures a range. .. or I think it did anyway. If I want to ban the range 210.80.32.0 to 210.80.63.255 All I have to do is enter ?