Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: How do I block an IP range ?

  1. #1
    Join Date
    Jun 2012
    Beans
    310

    How do I block an IP range ?

    I want to block some IPs (deny them from accessing my computer and block everything from my computer to those IPs),what's the best way to do it?
    I take that the /etc/hosts file only works with actual domain names,not IPs,and wouldn't accept an IP range anyways,is that correct?
    I've added the IP range I want to block to ufw already,the rules have been added but then,when I look for connections with ss,the IP in question has a connection established nonetheless:what am I doing wrong ?
    If a program I have installed needs that connection,will it override the firewall settings ? I think it shouldn't,maybe I am overlooking something,as I know nothing about iptables and can barely add rules to ufw ?

  2. #2
    Join Date
    Jul 2011
    Beans
    3,037
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How do I block an IP range ?

    Maybe you should tell us how you configured ufw. Here are nice examples on how to configure ufw. Note that ufw is not enabled by default and has to be enabled explicitly.

    http://ubuntuforums.org/showthread.php?t=823741

  3. #3
    Join Date
    May 2008
    Location
    Ontario, Canada
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How do I block an IP range ?

    post
    Code:
    sudo iptables -L

  4. #4
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    I guess that below is the significant part from iptables

    Code:
    Chain ufw-user-input (1 references)
    target     prot opt source               destination         
    DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
    DROP       udp  --  anywhere             anywhere            udp dpt:ssh 
    DROP       tcp  --  212.48.8.140         ubuntu-desktop.local 
    DROP       udp  --  212.48.8.140         ubuntu-desktop.local 
    DROP       tcp  --  vps13662.ovh.net     ubuntu-desktop.local 
    DROP       udp  --  vps13662.ovh.net     ubuntu-desktop.local 
    DROP       all  --  212.48.8.140         ubuntu-desktop.local 
    DROP       tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds 
    DROP       udp  --  anywhere             anywhere            multiport dports netbios-ns,netbios-dgm 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:nfs 
    DROP       udp  --  anywhere             anywhere            udp dpt:nfs 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:7634 
    DROP       udp  --  anywhere             anywhere            udp dpt:7634 
    DROP       all  --  111.221.64.0/111.221.127.255  anywhere            
    DROP       all  --  213.199.160.0/213.199.191.255  anywhere            
    DROP       all  --  157.52.0.0/157.60.255.255  anywhere            
    DROP       all  --  65.52.0.0/65.55.255.255  anywhere            
    DROP       all  --  207.46.0.0/207.46.255.255  anywhere            
    DROP       all  --  anywhere             207.46.0.0/207.46.255.255 
    DROP       all  --  2.192.0.0/2.195.255.255  anywhere            
    DROP       all  --  anywhere             2.192.0.0/2.195.255.255 
    DROP       all  --  212.48.8.0/212.48.11.255  anywhere            
    DROP       all  --  anywhere             212.48.8.0/212.48.11.255 
    DROP       all  --  anywhere             151.75.0.0/151.75.255.255 
    DROP       all  --  151.75.0.0/151.75.255.255  anywhere            
    DROP       all  --  ip-78-141-128-0.dyn.luxdsl.pt.lu/78.141.191.255  anywhere            
    DROP       all  --  anywhere             ip-78-141-128-0.dyn.luxdsl.pt.lu/78.141.191.255 
    DROP       all  --  host204-13-162-127.oversee.net  anywhere            
    DROP       all  --  anywhere             host204-13-162-127.oversee.net 
    DROP       all  --  98.142.96.0/98.142.111.255  anywhere            
    DROP       all  --  anywhere             98.142.96.0/98.142.111.255 
    DROP       all  --  anywhere             host204-13-160-0.oversee.net/204.13.163.255 
    DROP       all  --  host204-13-160-0.oversee.net/204.13.163.255  anywhere            
    DROP       all  --  208.73.208.0/208.73.215.255  anywhere            
    DROP       all  --  anywhere             208.73.208.0/208.73.215.255 
    DROP       all  --  anywhere             213.135.251.0/213.135.251.255 
    DROP       all  --  213.135.251.0/213.135.251.255  anywhere            
    DROP       all  --  54.240.0.0/54.255.255.255  anywhere            
    DROP       all  --  anywhere             54.240.0.0/54.255.255.255 
    DROP       all  --  anywhere             ec2-23-20-0-0.compute-1.amazonaws.com/23.23.255.255 
    DROP       all  --  ec2-23-20-0-0.compute-1.amazonaws.com/23.23.255.255  anywhere            
    DROP       all  --  216.182.224.0/216.182.239.255  anywhere            
    DROP       all  --  anywhere             216.182.224.0/216.182.239.255 
    DROP       all  --  anywhere             213.199.160.0/213.199.191.255 
    
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination         
    DROP       all  --  ubuntu-desktop.local  212.48.8.140        
    DROP       tcp  --  ubuntu-desktop.local  212.48.8.140        
    DROP       udp  --  ubuntu-desktop.local  212.48.8.140        
    DROP       tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds 
    DROP       udp  --  anywhere             anywhere            multiport dports netbios-ns,netbios-dgm 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:nfs 
    DROP       udp  --  anywhere             anywhere            udp dpt:nfs 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:7634 
    DROP       udp  --  anywhere             anywhere            udp dpt:7634 
    DROP       all  --  anywhere             111.221.64.0/111.221.127.255 
    DROP       all  --  anywhere             213.199.160.0/213.199.191.255 
    DROP       all  --  anywhere             157.52.0.0/157.60.255.255 
    DROP       all  --  anywhere             65.52.0.0/65.55.255.255 
    DROP       all  --  anywhere             2.192.0.0/2.195.255.255
    what I would like to understand is why,for instance,whilst the
    213.199.160.0/213.199.191.255 range is apparently denied access by ufw (that's what I think,at the least) nonetheless when using skype an https connection to such IP is active,despite the fact that not only such program should only use port 21722 ,other connections should be blocked by the firewall anyways.
    Last edited by cogset; October 26th, 2012 at 09:17 PM.

  5. #5
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: How do I block an IP range ?

    My guess it that there is a path around what you have shown. Even though I find ufw generated iptables hard to read, please show us the complete output from:
    Code:
    sudo iptables -v -x -n -L
    Is this computer also a router? If yes, please include:
    Code:
    sudo iptables -t nat -v -x -n -L
    Last edited by Doug S; October 26th, 2012 at 07:22 PM.

  6. #6
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    OK,so this is the complete output of iptables -L

    Code:
     sudo iptables -L
    
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ufw-before-logging-input  all  --  anywhere             anywhere            
    ufw-before-input  all  --  anywhere             anywhere            
    ufw-after-input  all  --  anywhere             anywhere            
    ufw-after-logging-input  all  --  anywhere             anywhere            
    ufw-reject-input  all  --  anywhere             anywhere            
    ufw-track-input  all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    ufw-before-logging-forward  all  --  anywhere             anywhere            
    ufw-before-forward  all  --  anywhere             anywhere            
    ufw-after-forward  all  --  anywhere             anywhere            
    ufw-after-logging-forward  all  --  anywhere             anywhere            
    ufw-reject-forward  all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ufw-before-logging-output  all  --  anywhere             anywhere            
    ufw-before-output  all  --  anywhere             anywhere            
    ufw-after-output  all  --  anywhere             anywhere            
    ufw-after-logging-output  all  --  anywhere             anywhere            
    ufw-reject-output  all  --  anywhere             anywhere            
    ufw-track-output  all  --  anywhere             anywhere            
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination         
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere            udp dpt:netbios-ns 
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere            udp dpt:bootps 
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere            udp dpt:bootpc 
    ufw-skip-to-policy-input  all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST 
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' 
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination         
    ufw-user-forward  all  --  anywhere             anywhere            
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ufw-logging-deny  all  --  anywhere             anywhere            state INVALID 
    DROP       all  --  anywhere             anywhere            state INVALID 
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
    ufw-not-local  all  --  anywhere             anywhere            
    ACCEPT     all  --  base-address.mcast.net/4  anywhere            
    ACCEPT     all  --  anywhere             base-address.mcast.net/4 
    ufw-user-input  all  --  anywhere             anywhere            
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            state NEW limit: avg 3/min burst 10 LOG level warning prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            state NEW limit: avg 3/min burst 10 LOG level warning prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            state NEW limit: avg 3/min burst 10 LOG level warning prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ufw-user-output  all  --  anywhere             anywhere            
    
    Chain ufw-logging-allow (0 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' 
    
    Chain ufw-logging-deny (2 references)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL 
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type MULTICAST 
    RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST 
    ufw-logging-deny  all  --  anywhere             anywhere            limit: avg 3/min burst 10 
    DROP       all  --  anywhere             anywhere            
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-skip-to-policy-forward (0 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain ufw-skip-to-policy-input (7 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain ufw-skip-to-policy-output (0 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            state NEW 
    ACCEPT     udp  --  anywhere             anywhere            state NEW 
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination         
    DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
    DROP       udp  --  anywhere             anywhere            udp dpt:ssh 
    DROP       tcp  --  212.48.8.140         ubuntu-desktop.local 
    DROP       udp  --  212.48.8.140         ubuntu-desktop.local 
    DROP       tcp  --  vps13662.ovh.net     ubuntu-desktop.local 
    DROP       udp  --  vps13662.ovh.net     ubuntu-desktop.local 
    DROP       all  --  212.48.8.140         ubuntu-desktop.local 
    DROP       tcp  --  anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds 
    DROP       udp  --  anywhere             anywhere            multiport dports netbios-ns,netbios-dgm 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:nfs 
    DROP       udp  --  anywhere             anywhere            udp dpt:nfs 
    DROP       tcp  --  anywhere             anywhere            tcp dpt:7634 
    DROP       udp  --  anywhere             anywhere            udp dpt:7634 
    DROP       all  --  111.221.64.0/111.221.127.255  anywhere            
    DROP       all  --  213.199.160.0/213.199.191.255  anywhere            
    DROP       all  --  157.52.0.0/157.60.255.255  anywhere            
    DROP       all  --  65.52.0.0/65.55.255.255  anywhere            
    DROP       all  --  207.46.0.0/207.46.255.255  anywhere            
    DROP       all  --  anywhere             207.46.0.0/207.46.255.255 
    DROP       all  --  2.192.0.0/2.195.255.255  anywhere            
    DROP       all  --  anywhere             2.192.0.0/2.195.255.255 
    DROP       all  --  212.48.8.0/212.48.11.255  anywhere            
    DROP       all  --  anywhere             212.48.8.0/212.48.11.255 
    DROP       all  --  anywhere             151.75.0.0/151.75.255.255
    and this is for iptables -v -x -n -L
    Code:
     sudo iptables -v -x -n -L
    
    Chain INPUT (policy DROP 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
        4247  4009413 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        4247  4009413 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           8     4608 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
        3714   331495 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        3714   331495 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
         695    47240 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
         695    47240 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
         695    47240 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
         695    47240 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-after-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-after-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137 
           0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138 
           0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139 
           0        0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
           8     4608 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
           0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
           0        0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
    
    Chain ufw-after-logging-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] ' 
    
    Chain ufw-after-logging-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] ' 
    
    Chain ufw-after-logging-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
          60     5038 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW ALLOW] ' 
    
    Chain ufw-after-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-before-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-before-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
         150    10132 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        3835  3954492 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
           1       40 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
           1       40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
           2     1152 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
         259    43597 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
           0        0 ACCEPT     all  --  *      *       224.0.0.0/4          0.0.0.0/0           
         226    35859 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.0/4         
          33     7738 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-before-logging-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-logging-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
          62     8023 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-logging-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
          64     4929 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW AUDIT] ' 
    
    Chain ufw-before-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
         150    10132 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
        2869   274123 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
         695    47240 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-logging-allow (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW ALLOW] ' 
    
    Chain ufw-logging-deny (2 references)
        pkts      bytes target     prot opt in     out     source               destination         
           1       40 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] ' 
    
    Chain ufw-not-local (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL 
         226    35859 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type MULTICAST 
          33     7738 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
           0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 10 
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-reject-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-reject-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-reject-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-skip-to-policy-forward (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-skip-to-policy-input (7 references)
        pkts      bytes target     prot opt in     out     source               destination         
           8     4608 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-skip-to-policy-output (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-track-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-track-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
         160     9600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
         533    37560 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain ufw-user-forward (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-user-input (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:22 
           0        0 DROP       tcp  --  *      *       212.48.8.140         192.168.1.215       
           0        0 DROP       udp  --  *      *       212.48.8.140         192.168.1.215       
           0        0 DROP       tcp  --  *      *       46.105.8.220         192.168.1.215       
           0        0 DROP       udp  --  *      *       46.105.8.220         192.168.1.215       
           0        0 DROP       all  --  *      *       212.48.8.140         192.168.1.215       
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 
          25     3130 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,138 
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2049 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2049 
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7634 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:7634 
           0        0 DROP       all  --  *      *       111.221.64.0/111.221.127.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       213.199.160.0/213.199.191.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       157.52.0.0/157.60.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       65.52.0.0/65.55.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       207.46.0.0/207.46.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            207.46.0.0/207.46.255.255 
           0        0 DROP       all  --  *      *       2.192.0.0/2.195.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            2.192.0.0/2.195.255.255 
           0        0 DROP       all  --  *      *       212.48.8.0/212.48.11.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            212.48.8.0/212.48.11.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            151.75.0.0/151.75.255.255 
           0        0 DROP       all  --  *      *       151.75.0.0/151.75.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       78.141.128.0/78.141.191.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            78.141.128.0/78.141.191.255 
           0        0 DROP       all  --  *      *       204.13.162.127       0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            204.13.162.127      
           0        0 DROP       all  --  *      *       98.142.96.0/98.142.111.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            98.142.96.0/98.142.111.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            204.13.160.0/204.13.163.255 
           0        0 DROP       all  --  *      *       204.13.160.0/204.13.163.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       208.73.208.0/208.73.215.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            208.73.208.0/208.73.215.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            213.135.251.0/213.135.251.255 
           0        0 DROP       all  --  *      *       213.135.251.0/213.135.251.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       54.240.0.0/54.255.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/54.255.255.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/23.23.255.255 
           0        0 DROP       all  --  *      *       23.20.0.0/23.23.255.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       216.182.224.0/216.182.239.255  0.0.0.0/0           
           0        0 DROP       all  --  *      *       0.0.0.0/0            216.182.224.0/216.182.239.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            213.199.160.0/213.199.191.255 
    
    Chain ufw-user-limit (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 4 prefix `[UFW LIMIT BLOCK] ' 
           0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    
    Chain ufw-user-limit-accept (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain ufw-user-logging-forward (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-user-logging-input (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-user-logging-output (0 references)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain ufw-user-output (1 references)
        pkts      bytes target     prot opt in     out     source               destination         
           0        0 DROP       all  --  *      *       192.168.1.215        212.48.8.140        
           0        0 DROP       tcp  --  *      *       192.168.1.215        212.48.8.140        
           0        0 DROP       udp  --  *      *       192.168.1.215        212.48.8.140        
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,138 
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2049 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2049 
           0        0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7634 
           0        0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:7634 
           0        0 DROP       all  --  *      *       0.0.0.0/0            111.221.64.0/111.221.127.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            213.199.160.0/213.199.191.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            157.52.0.0/157.60.255.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            65.52.0.0/65.55.255.255 
           0        0 DROP       all  --  *      *       0.0.0.0/0            2.192.0.0/2.195.255.255
    I've also edited my first post because it wasn't correct-as for the other question,this computer isn't also a router.
    Last edited by cogset; October 26th, 2012 at 09:19 PM.

  7. #7
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: How do I block an IP range ?

    Question: Are you testing new ufw rule sets (resulting in new iptables rules) without retsarting the computer? An established connection in the contrack table would be uneffected.

    There is a "related established" route around what you want. However, and unless I missed something, I didn't see a path around for a new outgoing connection.

    There are a bunch of rules in the ufw-user-input chain that are not needed, because there is no possible path via that rule. Example
    Code:
           0        0 DROP       all  --  *      *       0.0.0.0/0            207.46.0.0/207.46.255.255
    I don't use ufw, so don't know if it is possible, but if you really want blanket blocking of those IP addresses, you might want to check them first in the INPUT and OUTPUT chains, before any RELATED,ESTABLISHED bypasses. That is what I do in my iptables rule set.

  8. #8
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    Quote Originally Posted by Doug S View Post
    Question: Are you testing new ufw rule sets (resulting in new iptables rules) without retsarting the computer? An established connection in the contrack table would be uneffected.
    Well,I've observed that even after a reboot a connection from an IP range that should be blocked (according to a rule that has been successfully added before ) is established nonetheless-mostly so far I've seen this whilst using Skype (which,considering who is behind it,doesn't surprise me a great deal) but generally speaking I want to understand if specific programs can eventually override ufw user-set rules and how to prevent this.


    Quote Originally Posted by Doug S View Post
    There is a "related established" route around what you want. However, and unless I missed something, I didn't see a path around for a new outgoing connection.

    There are a bunch of rules in the ufw-user-input chain that are not needed, because there is no possible path via that rule. Example
    Code:
           0        0 DROP       all  --  *      *       0.0.0.0/0            207.46.0.0/207.46.255.255
    I don't use ufw, so don't know if it is possible, but if you really want blanket blocking of those IP addresses, you might want to check them first in the INPUT and OUTPUT chains, before any RELATED,ESTABLISHED bypasses. That is what I do in my iptables rule set.
    I know that I've also thrown in some quite pointless rules whilst experimenting with ufw ,however I would appreciate if the valid ones worked as I expected-which,if I got this one right,can't be really done in ufw and has to be done through iptables,which I find frankly kinda intimidating,to say the least.

  9. #9
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: How do I block an IP range ?

    Could you say the specific address that is able to create the unwanted connection. I can not see the path in the OUTPUT chain for a NEW connection that would create the RELATED, ESTABLISHED by-pass on the INPUT chain. (I'm not saying it isn't there, just that I cann't see it).

    Do you see the unwanted address in the UFW log file (perhps in /var/log/syslog)? look for "UFW AUDIT"

  10. #10
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    Ok ,keeping in mind that I only have a minimal understanding of what is going on here,here's a couple of established connections that I regularly find with the ss command each time I use Skype,and both should belong to the IP ranges that I've denied in UFW,as far as I can see.
    So the question is,if these connections are actually needed by this program,and the UFW rules are valid,shouldn't I get an error message or something when using Skype,instead of having it work and the connections established bypassing the rules?
    In other words,are the rules I've set in UFW actually valid,and if so,is what am I seeing a limitation of UFW itself,meaning that to achieve what I'm after the use of iptables is mandatory?


    ESTAB 0 0 192.168.1.xxx:32991 157.56.192.142:https
    ESTAB 0 0 192.168.1.xxx:36280 78.141.179.16:12350

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •