How to block an IP address with ufw on Ubuntu Linux server

I am using UFW to manage firewall on my Ubuntu Linux 12.04/14.04 LTS server. I need to block a specific IP address from accessing my server. How do I block an IP address using ufw?

UFW (Uncomplicated Firewall) is a front-end for iptables and is particularly well-suited for a single server or host-based firewalls. It is the default firewall configuration tool for Ubuntu Linux. The UFW developed for a new sysadmin with ease use in mind. It is a user-friendly way to create an IPv4 or IPv6 based firewall to protect the server.

ufw block specific IP address

The syntax is:
sudo ufw deny from {ip-address-here} to any
To block or deny all packets from 192.168.1.5, enter:
sudo ufw deny from 192.168.1.5 to any

Show firewall status including your rules

Verify newly added rules, enter:
$ sudo ufw status numbered
OR
$ sudo ufw status

ufw block specific IP and port number

The syntax is:
ufw deny from {ip-address-here} to any port {port-number-here}
To block or deny spammers IP address 202.54.1.5 to port 80, enter:
sudo ufw deny from 202.54.1.5 to any port 80
Again verify with the following command:
$ sudo ufw status numbered
Sample outputs:

Status: active
 
	 To                         Action      From
	 --                         ------      ----
[ 1] 192.168.1.10 80/tcp        ALLOW       Anywhere
[ 2] 192.168.1.10 22/tcp        ALLOW       Anywhere
[ 3] Anywhere                   DENY        192.168.1.5
[ 4] 80                         DENY IN     202.54.1.5

ufw deny specific IP, port number, and protocol

The syntax is:
sudo ufw deny proto {tcp|udp} from {ip-address-here} to any port {port-number-here}
For example block hacker IP address 202.54.1.1 to tcp port 22, enter:
$ sudo ufw deny proto tcp from 202.54.1.1 to any port 22 $ sudo ufw status numbered

ufw block subnet

The syntax is same:
$ sudo ufw deny proto tcp from sub/net to any port 22 $ sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22

How do I delete blocked IP address or unblock an IP address again?

The syntax is:
$ sudo ufw status numbered $ sudo ufw delete NUM
To delete rule number # 4, enter:
$ sudo ufw delete 4
Sample outputs:

Deleting:
 deny from 202.54.1.5 to any port 80
Proceed with operation (y|n)? y
Rule deleted

Tip: UFW NOT blocking an IP address

UFW (iptables) rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a rule is allowing access to tcp port 22 (say using sudo ufw allow 22), and afterward another Rule is specified blocking an IP address (say using ufw deny proto tcp from 202.54.1.1 to any port 22), the rule to access port 22 is applied and the later rule to block the hacker IP address 202.54.1.1 is not. It is all about the order. To avoid such problem you need to edit the /etc/ufw/before.rules file and add a section to “Block an IP Address” after “# End required lines” section.
$ sudo vi /etc/ufw/before.rules
Find line that read as follows:

# End required lines

Append your rule to block spammers or hackers:

# Block spammers 
-A ufw-before-input -s 178.137.80.191 -j DROP
# Block ip/net (subnet) 
-A ufw-before-input -s 202.54.1.0/24 -j DROP

Save and close the file. Finally, reload the firewall:
$ sudo ufw reload
As noted below you can skip the whole process and use the following simple syntax:
$ sudo ufw insert 1 deny from {BADIPAddress-HERE} $ sudo ufw insert 1 deny from 178.137.80.191 comment 'block spammer' $ sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet'

This entry is 4 of 7 in the Uncomplicated Firewall (UFW) series. Keep reading the rest of the series:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

3 comment

Simple indeed. I’m still a fanboy of core commands because any command wrapper could be a target of potential attacker and altering a python3 script seem to be much easier than altering a binary.

How would you block the whole AS address space for a given AS the easiest way?

ufw insert 1 deny from {IP}
will insert the rule at the top, so you do not need to edit the `before.rules`

You probably want to use
ufw insert 1 reject from {IP}

Rationale: “insert 1” is required to avoid having earlier rule allowing the connection. “reject” instead of “deny” makes it look like the port has been closed instead of looking like dropped packages.

P4 says:
January 19, 2016 at 9:06 pm
Simple indeed. I’m still a fanboy of core commands because any command wrapper could be a target of potential attacker and altering a python3 script seem to be much easier than altering a binary.
How would you block the whole AS address space for a given AS the easiest way?
Gregory says:
February 10, 2017 at 7:07 pm
ufw insert 1 deny from {IP}
will insert the rule at the top, so you do not need to edit the `before.rules`
Mikko Rantalainen says:
May 19, 2017 at 7:42 am
You probably want to use
ufw insert 1 reject from {IP}
Rationale: “insert 1” is required to avoid having earlier rule allowing the connection. “reject” instead of “deny” makes it look like the port has been closed instead of looking like dropped packages.

Have a question? Post it on our forum!