UFW (Uncomplicated Firewall) is a front-end for iptables and is particularly well-suited for a single server or host-based firewalls. It is the default firewall configuration tool for Ubuntu Linux. The UFW developed for a new sysadmin with ease use in mind. It is a user-friendly way to create an IPv4 or IPv6 based firewall to protect the server. Let us see how to block an IP address with ufw on Ubuntu server.
ufw block specific IP address
The syntax is:
sudo ufw deny from {ip-address-here} to any
To block or deny all packets from 192.168.1.5, enter:
sudo ufw deny from 192.168.1.5 to any
Block an IP address ufw
Instead of deny rule we can reject connection from any IP as follows:
sudo ufw reject from 202.54.5.7 to any
You use reject when you want the other end (attacker) to know the port or IP is unreachable. However, we use deny for connections to attackers (hosts) you don’t want people to see at all. In other words the reject sends a reject response to the source, while the deny (DROP) target sends nothing at all.
Show firewall status including your rules
Verify newly added rules, enter:
$ sudo ufw status numbered
OR
$ sudo ufw status
Fig.01: ufw firewall status
ufw block specific IP and port number
The syntax is:
ufw deny from {ip-address-here} to any port {port-number-here}
To block or deny spammers IP address 202.54.1.5 to port 80, enter:
sudo ufw deny from 202.54.1.5 to any port 80
Again verify with the following command:
$ sudo ufw status numbered
Sample outputs:
Status: active To Action From -- ------ ---- [ 1] 192.168.1.10 80/tcp ALLOW Anywhere [ 2] 192.168.1.10 22/tcp ALLOW Anywhere [ 3] Anywhere DENY 192.168.1.5 [ 4] 80 DENY IN 202.54.1.5
ufw deny specific IP, port number, and protocol
The syntax is:
sudo ufw deny proto {tcp|udp} from {ip-address-here} to any port {port-number-here}
For example block hacker IP address 202.54.1.1 to tcp port 22, enter:
$ sudo ufw deny proto tcp from 202.54.1.1 to any port 22
$ sudo ufw status numbered
ufw block subnet
The syntax is same:
$ sudo ufw deny proto tcp from sub/net to any port 22
$ sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22
How do I delete blocked IP address or unblock an IP address again?
The syntax is:
$ sudo ufw status numbered
$ sudo ufw delete NUM
To delete rule number # 4, enter:
$ sudo ufw delete 4
Sample outputs:
Deleting:
deny from 202.54.1.5 to any port 80
Proceed with operation (y|n)? y
Rule deleted
Tip: UFW NOT blocking an IP address
UFW (iptables) rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a rule is allowing access to tcp port 22 (say using sudo ufw allow 22), and afterward another Rule is specified blocking an IP address (say using ufw deny proto tcp from 202.54.1.1 to any port 22), the rule to access port 22 is applied and the later rule to block the hacker IP address 202.54.1.1 is not. It is all about the order. To avoid such problem you need to edit the /etc/ufw/before.rules file and add a section to “Block an IP Address” after “# End required lines” section.
$ sudo vi /etc/ufw/before.rules
Find line that read as follows:
# End required lines
Append your rule to block spammers or hackers:
# Block spammers -A ufw-before-input -s 178.137.80.191 -j DROP # Block ip/net (subnet) -A ufw-before-input -s 202.54.1.0/24 -j DROP
Save and close the file. Finally, reload the firewall:
$ sudo ufw reload
As noted below in the comment section, we can skip the whole process and use the following simple syntax:
$ sudo ufw insert 1 deny from {BADIPAddress-HERE}
$ sudo ufw insert 1 deny from 178.137.80.191 comment 'block spammer'
$ sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet'
Blocking multiple IP address and subnets (CIDRs) with ufw
We can use different methods to block multiple IP addresses. Let us try using bash for loop as follows to block 5 IP address:
# add subnet too # IPS="192.168.2.50 1.2.3.4 123.1.2.3 142.1.2.3 202.54.1.5/29" for i in $IPS do sudo ufw insert 1 deny from "$i" comment "IP and subnet blocked" done
Another option is to read all IP address from a text file. Create a new text file as follows using cat command:
cat > blocked.ip.list
Append both IPs and sub/nets:
# block list created by nixCraft 203.1.5.6 204.5.1.7 45.146.164.157 2620:149:e0:6002::1f1 185.38.40.66 185.220.101.0/24
Run it as as follows using bash while loop:
while IFS= read -r block do sudo ufw insert 1 deny from "$block" done < "blocked.ip.list"
Conclusion
We learned how to block an IP address or network subnet/CIDR (Classless Inter-Domain Routing) using the ufw based firewall to protect our server from bad guys.
- Install UFW firewall on Ubuntu 16.04 LTS server
- Open ssh port 22 using ufw on Ubuntu/Debian Linux
- Configure ufw to forward port 80/443 to internal server hosted on LAN
- Block an IP address with ufw on Ubuntu Linux server
- Limit SSH (TCP port 22) connections with ufw on Ubuntu Linux
- Ubuntu Linux Firewall Open Port Command Using UFW
- Open DNS port 53 using ufw on Ubuntu/Debian Linux
- Set Up a Firewall with UFW on Ubuntu 18.04
- Delete a UFW firewall rule
- Configure Firewall with UFW on Ubuntu 20.04 LTS
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 3 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Simple indeed. I’m still a fanboy of core commands because any command wrapper could be a target of potential attacker and altering a python3 script seem to be much easier than altering a binary.
How would you block the whole AS address space for a given AS the easiest way?
ufw insert 1 deny from {IP}will insert the rule at the top, so you do not need to edit the `before.rules`
You probably want to use
ufw insert 1 reject from {IP}Rationale: “insert 1” is required to avoid having earlier rule allowing the connection. “reject” instead of “deny” makes it look like the port has been closed instead of looking like dropped packages.