UFW not blocking IP address

Question

✓ Solved

UFW not blocking IP address

none

forresterj 2 years, 8 months ago

I am trying to block an IP address from my server.

ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere DENY IN 193.37.0.0/24
22/tcp ALLOW IN Anywhere
22 ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
80,443/tcp (Apache Full) ALLOW IN Anywhere
21 ALLOW IN Anywhere
443 ALLOW IN Anywhere
20,21,990/tcp ALLOW IN Anywhere
40000:50000/tcp ALLOW IN Anywhere

But when I check the Apache log:

193.37.223.134 - - [12/Mar/2022:19:47:56 -0500] "GET /view.php?r=4327+%2F%2A%2A%2F%2F%2A%2A%2FOR%2F%2A%2A%2FGTID_SUBSET%28CONCAT%280x35354971%2C%28SELECT%2F%2A%2A%2FMID%28IFNULL%28CAST%28COLUMN_NAME%2F%2A%2A%2FAS%2F%2A%2A%2FNCHAR%29%2C0x20%29%2C1%2C145%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.COLUMNS%2F%2A%2A%2FWHERE%2F%2A%2A%2FTABLE_SCHEMA%3D0x61686967686c616e64657273%2F%2A%2A%2FAND%2F%2A%2A%2FTABLE_NAME%3D0x62616e645f6d656d62657273%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x257761636874776f6f726425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2…….

This is my output from iptables:

iptables -nL

Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 6/sec burst 1
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 6/sec burst 1
DROP icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-http (0 references)
target prot opt source destination
ufw-http-logdrop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/24 > 50
all -- 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: conn_per_ip side: source mask: 255.255.255.255
ufw-http-logdrop all -- 0.0.0.0/0 0.0.0.0/0 state NEW recent: UPDATE seconds: 10 hit_count: 20 name: conn_per_ip side: source mask: 255.255.255.255
all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: pack_per_ip side: source mask: 255.255.255.255
ufw-http-logdrop all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 1 hit_count: 20 name: pack_per_ip side: source mask: 255.255.255.255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-http-logdrop (3 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW HTTP DROP] "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
DROP all -- 193.37.0.0/24 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full' */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,990
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 40000:50000

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination

Can anyone see what I might have done wrong?

3 Replies

stevewi · Answer 1 · March 13, 2022, 2:03 a.m.

stevewi 2 years, 8 months ago

✓ Best Answer

193.37.223.134 is not part of the network 193.37.0.0/24:

193.37.0.0/24 = 193.37.0.0 - 193.37.0.255 (256 nodes)

What you probably meant was 193.37.223.0/24…

193.37.223.0/24 = 193.37.223.0 - 193.37.223.255 (256 nodes)

or 193.37.0.0/16

193.37.0.0/16 = 193.37.0.0 - 193.37.255.255 (65536 nodes)

-- sw

forresterj · Answer 2 · March 13, 2022, 2:18 a.m.

forresterj 2 years, 8 months ago

Oh I think you're right. I just wasn't paying attention. Thank you!

stevewi · Answer 3 · March 13, 2022, 2:37 a.m.

stevewi 2 years, 8 months ago

There's a way to do this in apache2:

<Directory "/the/path/to/your/directory">
    <RequireAll>
        Require all granted
        Require not ip 193.37.223.134
    </RequireAll>
</Directory>

I would probably do this instead of adding a special case to the firewall. You could use shell scripts or some such to manage the list of 'not ip xxx.xxx.xxx.xxx' directives.

See: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

-- sw

Compute

Storage

Networking

Databases

Services

Developer Tools

Industries

Pricing

Community

Engage With Us

UFW not blocking IP address

ufw status verbose

iptables -nL

3 Replies

✓ Best Answer

Reply

Tips: