[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ufw and blocking certain IP in and out

On Thu, May 28, 2020 at 11:56:10AM -0400, songbird wrote:
> Reco wrote:
> > 	Hi.
> >
> > On Thu, May 28, 2020 at 08:24:27AM -0400, songbird wrote:
> >>   it seems i have a mental block block of my own here where
> >> ufw is concerned...
> >> 
> >>   i tell it to block connections in and out from a certain
> >> IP but when i visit a certain website those connections are
> >> still happening.
> >
> > Can you show the resulting iptables rules (iptables-save format
> > preferred)? ufw output is terse, but hardly useful.
> 
>   sure, appended...

This rule is useless:

-A ufw-user-input -s 1.2.3.4/32 -j DROP

It's highly unlikely (and is complex in the case of the NAT) that
1.2.3.4 would establish a fresh connection to you. 
And it's the only usage of this rule considering that it is checked
after this one:

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

I.e. you cannot use your "-s 1.2.3.4/32" rule to break an existing
connection. So, drop it, it won't work the way you need.


This rule is wrong, assuming that you're trying to prevent your browser
to connect to 1.2.3.4:

-A ufw-user-output -s 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable

"-s" means "source", and it'll only work if you have ip 1.2.3.4.

What you should use is:

-A ufw-user-output -d 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable

"-d" means destination.


I don't use ufw, so I cannot comment on how to specify "source" and
"destination" there.

Reco
Reply to: