Is there some way to ensure that this DENY IP rule goes in at the top? Not sure what I'm missing here...
Is there some way to ensure that this DENY IP rule goes in at the top? Not sure what I'm missing here...
According to the UFW documentation:
Advanced Blocking Rules
Blocking IP addresses is not so straight forward if you have an existing set of rules as IPTABLES matches in order.
So if you started with default deny and added in port 80 for a public server :
sudo ufw allow 80
But then find IP address 111.222.3.44 is hacking your server :
sudo ufw deny 111.222.3.44
will do nothing (you allowed access with your first rule).
You need to edit /etc/ufw/before.rules and add a section "Block IP" after "Drop INVALID packets" :
-A ufw-before-input -s 111.222.3.44 -j DROP #Assuming no loging is desired of course)
# drop INVALID packets
# uncomment to log INVALID packets
#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW B$
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# Block IP
# This it is effective
-A ufw-before-input -s 111.222.3.44 -j DROP
You can find that information (and more) here :
https://help.ubuntu.com/community/UFW
Also keep in mind that if you manually edit and save the iptables rules they will not get re-installed after rebooting unless you take special care to restore them after the ufw and fail2ban rules, at which point you may as well not have those programs running since you are overridding them. So if you plan to keep using them then you cannot make a manual fix using iptables-restore as it is all-or-nothing.
If you figure out the steps to correct it with iptables commands then that set of commands could be applied after booting. I'd think it's much better to see if you can adjust the rules as suggested above within ufw and fail2ban to get them to co-operate.
fail2ban's documentation states that it is placed at the top of the chain. So, whether you're using iptables or not, fail2ban is the first "cop" to see and determine if the IP coming at it is a badguy or not. You'd have to modify your fail2ban rules in order to control this.
Bookmarks