Blocking IP Range using UFW

Uncomplicated Firewall (ufw) is one of the greatest frontends to IPTables I’ve encountered. It is very simple to use and I just wish it was also available for Gentoo. Up until recently everything went smoothly for me and ufw, but we hit some rough waters when I’ve tried to block an IP range.

To block an IP or IP range in ufw you should do

sudo ufw deny from 188.162.67.197/21

But here is the catch. Only the recent versions of ufw (which the version that comes with Ubuntu 8.04 isn’t one of them) support inserting new rules. When you add a rule it gets appended. So if you had a rule before that allows everyone to connect to your server on port 80, it also allows the IP range you’re trying to block, to connect to your machine.

As it’s impossible to foresee all the rules you might use, one has to resort to deleting all the rules he has to override, then re-add them so they will be after the rule that blocks the IP range. However I disliked the idea and looked for a simpler solution.

The easiest method I’ve found was to manully edit ufw‘s configurations:

sudo vim /var/lib/ufw/user.rules

And then move the rule I’ve added, which looks like this:

### tuple ### deny any any 0.0.0.0/0 any 188.162.67.197/21
-A ufw-user-input -s 188.162.67.197/21 -j DROP

above any other rules in the configuration file.

Afterward, you’ll have to restart ufw so it will reload its configurations.

sudo ufw disable
sudo ufw enable

6 thoughts on “Blocking IP Range using UFW”

  1. good post. I had to write my own script to delete and then re-append all my rules.

  2. You can perform the following command in ufw.

    ufw insert 1 deny from 1.2.3.4
    and it will be inserted at the beginning of the list. The rules are numbered, so you can see them by typing
    ufw status numbered
    and also delete a numbered rules with
    ufw delete 1
    No need to delete everything and reinput

  3. I am writing a perl program that simply deletes all of the entries in the numbered status output .. then re-adds all of the IP ranges from a list of countries I dont’ want spamming my web page with bullshit., then adds the allow rules I want to keep .. put it on a cronjob that runs once a week and dynamically loads the country IP ranges from http://www.nirsoft.net/countryip/index.html It’s dynamic because IP addresses change and I don’t want the headaches of keeping a banned range after it expires..

    This post helped in understanding how to enter the command so it captures a range. .. or I think it did anyway. If I want to ban the range 210.80.32.0 to 210.80.63.255 All I have to do is enter ?

  4. Wrong way, my friend. It is not an article about IP ranges blocking. Really your nice example is about one only IP, not a range. But yes.. you write the word range. So.. I dont now. Then… What do you think about: “The easiest method I’ve found about … your sauce… rules”. I will never come back, but i hope you will be in trust.

  5. It blocks an IP range based on the netmask provided (the number after the ‘/’).

  6. How do I deny a set of IP address such as:
    133.45.x.y where x and y are all possibilities of IP addresses, i.e. x ranges from 0 to 255 and y ranges from 0 to 255?
    thanks,
    Phil

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.