How to block an IP address with ufw on Ubuntu Linux server
In Ubuntu ufw program for managing a netfilter firewall as Iptables in RedHat/CentOS systems. This could manage Firewall in Linux and Ubuntu machines and provides an easy interface for managing from users.It has very flexible and easy syntax with many features like IPTables have. Ufw is default tool for Ubuntu.
ufw firewall has configuration files in /etc/ufw and default setting located in /etc/default/ufw.
How to start ufw
#ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
After enabling ufw your ssh connection will not be closed but you cannot able to initiate any new connection from outside server because ufw default setting. we can edit this from /etc/default/ufw. same would come in /var/log/ufw.log file.
Jan 26 11:43:17 srv23 kernel: [10288.926715] [UFW BLOCK] IN=eth1 OUT= MAC=08:00:27:a2:4c:c7:08:i8:27:00:bh:c1:08:78 SRC=192.168.0.100 DST=192.168.0.118 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=5738 DF PROTO=TCP SPT=61412 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
To enable connection. Edit /etc/default/ufw for input connection
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. DEFAULT_INPUT_POLICY="ACCEPT" # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. DEFAULT_OUTPUT_POLICY="ACCEPT" # Set the default forward policy to ACCEPT, DROP or REJECT. Please note that # if you change this you will most likely want to adjust your rules DEFAULT_FORWARD_POLICY="ACCEPT"
In above output, derivatives changes to “ACCEPT” for input connection.After any change reload it once.
#ufw reload Firewall reloaded
Users can specify rules using either a simple syntax or a full syntax. The simple syntax only specifies the port and optionally the protocol to be allowed or denied on the host.
ufw allow 53
This rule will allow tcp and udp port 53 to any address on this host. To specify a protocol, append ‘/protocol’ to the port.
ufw allow 25/tcp
This will allow tcp port 25 to any address on this host. ufw will also check /etc/services for the port and protocol if
specifying a service by name.
ufw allow smtp
ufw supports both ingress and egress filtering and users may optionally specify a direction of either in or out for either
incoming or outgoing traffic. If no direction is supplied, the rule applies to incoming traffic. Eg:
ufw allow in http ufw reject out smtp
Users can also use a fuller syntax, specifying the source and destination addresses and ports. This syntax is loosely based
on OpenBSD’s PF syntax. For example:
ufw deny proto tcp to any port 80
This will deny all traffic to tcp port 80 on this host. Another example:
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
This will deny all traffic from the RFC1918 Class A network to tcp port 25 with the address 192.168.0.1.
ufw deny proto tcp from 2001:db8::/32 to any port 25
This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host. IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
ufw allow proto tcp from any to any port 80,443,8080:8090
The above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive. When specifying multiple ports, the ports list must be numeric, cannot contain spaces and must be modified as a whole. Eg, in the above example you cannot later try to delete just the ‘443’ port. You cannot specify more than 15 ports (ranges count as 2 ports, so the port count in the above example is 4).
Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ significantly from PF syntax and instead take into account netfilter FORWARD chain conventions). For example:
ufw route allow in on eth1 out on eth2
This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.
ufw route allow in on eth0 out on eth1 to 126.96.36.199 port 80 proto tcp
This rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 188.8.131.52.
In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf:
then restarting the firewall:
ufw reload or ufw disable ufw enable
ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate 6 or more connections within 30 seconds. See http://www.debian-administration.org/articles/187 for details. Typical usage is:
ufw limit ssh/tcp
Sometimes it is desirable to let the sender know when traffic is being denied, rather than simply ignoring it. In these cases, use reject instead of deny. For example:
ufw reject auth
By default, ufw will apply rules to all available interfaces. To limit this, specify DIRECTION on INTERFACE, where DIRECTION is one of in or out (interface aliases are not supported). For example, to allow all new incoming http connections on eth0, use:
ufw allow in on eth0 to any port 80 proto tcp
To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:
ufw deny 80/tcp
Use this to delete it:
ufw delete deny 80/tcp
You may also specify the rule by NUM, as seen in the status numbered output. For example, if you want to delete rule number ‘3’, use:
ufw delete 3
If you have IPv6 enabled and are deleting a generic rule that applies to both IPv4 and IPv6 (eg ‘ufw allow 22/tcp’), deleting by rule number will delete only the specified rule. To delete both with one command, prefix the original rule with delete.
To insert a rule, specify the new rule as normal, but prefix the rule with the rule number to insert. For example, if you have four rules, and you want to insert a new rule as rule number three, use:
ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp
To see a list of numbered rules, use:
ufw status numbered
ufw supports multiple logging levels. ufw defaults to a loglevel of ‘low’ when a loglevel is not specified. Users may specify a loglevel with:
ufw logging LEVEL
LEVEL may be ‘off’, ‘low’, ‘medium’, ‘high’ and ‘full’. Log levels are defined as:
off disables ufw managed logging low logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules medium log level low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections. All logging is done with rate limiting. high log level medium (without rate limiting), plus all packets with rate limiting full log level high without rate limiting Loglevels above medium generate a lot of logging output, and may quickly fill up your disk. Loglevel medium may generate a lot of logging output on a busy system. Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.
ufw supports per rule logging. By default, no logging is performed when a packet matches a rule. Specifying log will log all new connections matching the rule, and log-all will log all packets matching the rule. For example, to allow and log all new ssh connections, use:
ufw allow log 22/tcp
Deny all access to port 53:
ufw deny 53
Allow all access to tcp port 80:
ufw allow 80/tcp
Allow all access from Local LAN networks to this host:
ufw allow from 10.0.0.0/8 ufw allow from 172.16.0.0/12 ufw allow from 192.168.0.0/16
Deny access to udp port 514 from host 184.108.40.206:
ufw deny proto udp from 220.127.116.11 to any port 514
Allow access to udp 18.104.22.168 port 5469 from 22.214.171.124 port 5469:
ufw allow proto udp from 126.96.36.199 port 5469 to 188.8.131.52 port 5469