Question

UFW not blocking IP range

I am running Ubuntu 18 on DO droplet with Nginx. I have set up a deny rule for IP range xxx.xxx.xxx.0/24 This is added as rule #1 in UFW to make sure the order correct and this rule will be processed as first.

However we still see IP addresses from that range hitting the website. How is that possible, what is wrong here?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hello maximization, Alright that is a very good tip and easy to implement to check what is going on. Although there was no established connection already there from those ip’s at least we can now start logging to see why this is happening. Hopefully we can solve the issue after seeing enough log info, if not I will post the log file info here. Thank you again.

Hello, we do not use docker. This is a straightforward DO droplet with Ubuntu 18 installed for website hosting.

Output of iptables:

Chain INPUT (policy DROP 386 packets, 53604 bytes) pkts bytes target prot opt in out source destination 7027K 807M f2b-sshd tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 19M 5424M ufw-before-logging-input all – * * 0.0.0.0/0 0.0.0. 0/0 19M 5424M ufw-before-input all – * * 0.0.0.0/0 0.0.0.0/0
1385K 115M ufw-after-input all – * * 0.0.0.0/0 0.0.0.0/0
1227K 107M ufw-after-logging-input all – * * 0.0.0.0/0 0.0.0.0 /0 1227K 107M ufw-reject-input all – * * 0.0.0.0/0 0.0.0.0/0
1227K 107M ufw-track-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all – * * 0.0.0.0/0 0.0. 0.0/0 0 0 ufw-before-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all – * * 0.0.0.0/0 0.0.0 .0/0 0 0 ufw-reject-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 800 bytes) pkts bytes target prot opt in out source destination 22M 20G ufw-before-logging-output all – * * 0.0.0.0/0 0.0.0 .0/0 22M 20G ufw-before-output all – * * 0.0.0.0/0 0.0.0.0/0
284K 20M ufw-after-output all – * * 0.0.0.0/0 0.0.0.0/0
284K 20M ufw-after-logging-output all – * * 0.0.0.0/0 0.0.0. 0/0 284K 20M ufw-reject-output all – * * 0.0.0.0/0 0.0.0.0/0
284K 20M ufw-track-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 4737K 638M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination

Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 6 468 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:137 1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:138 8 356 ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0. 0/0 tcp dpt:139 2428 125K ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0. 0/0 tcp dpt:445 1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:67 1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:68 0 0 ufw-skip-to-policy-input all – * * 0.0.0.0/0 0.0.0. 0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 4023 305K LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination

Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination

Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 540 39852 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0 62434 29M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1624 631K ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 1624 631K DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 714 54532 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 14487 1097K ufw-not-local all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp – * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp – * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 14487 1097K ufw-user-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination

Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 540 39852 ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0 78966 99M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 826 55407 ufw-user-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 1546 627K RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 20 800 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 14487 1097K RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination

Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination

Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 2445 126K DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination

Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination

Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 704 45428 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 48 3698 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all – * * 199.83.232.0/24 0.0.0.0/0 0 0 DROP all – * * 31.28.163.0/24 0.0.0.0/0 4 240 DROP all – * * 88.99.145.83 0.0.0.0/0 0 0 DROP all – * * 49.248.18.252 0.0.0.0/0 0 0 DROP all – * * 178.154.200.0/24 0.0.0.0/0 0 0 DROP all – * * 111.206.198.0 0.0.0.0/0 0 0 DROP all – * * 85.10.202.243 0.0.0.0/0 0 0 DROP all – * * 65.154.226.220 0.0.0.0/0 0 0 DROP all – * * 65.154.226.200 0.0.0.0/0 0 0 DROP all – * * 65.154.226.100 0.0.0.0/0 0 0 DROP all – * * 88.99.245.93 0.0.0.0/0 1318 77152 tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 2 112 ufw-user-limit tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: s ource mask: 255.255.255.255 1316 77040 ufw-user-limit-accept tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 2510 140K ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 566 31868 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain ufw-user-limit (1 references) pkts bytes target prot opt in out source destination 2 112 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 2 112 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (1 references) pkts bytes target prot opt in out source destination 1316 77040 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination

@maximization, Please see my answers below to your questions:

  1. Yes, all the mentioned ip’s fall within that subnet.
  2. The rule is DENY on any protocol/port.
  3. No port available as the info is from statcounter but not really relevant as its normal http traffic and those ip’s are blocked for ALL.
  4. Yes, checked several times, reloaded UFW just for good measure also.

Output of UFW status where you can see that rule is listed at the top as #1:

To Action From


Anywhere DENY 199.83.232.0/24 Anywhere DENY 31.28.163.0/24 Anywhere DENY 88.99.145.83 Anywhere DENY 49.248.18.252 Anywhere DENY 178.154.200.0/24 Anywhere DENY 111.206.198.0 Anywhere DENY 85.10.202.243 Anywhere DENY 65.154.226.220 Anywhere DENY 65.154.226.200 Anywhere DENY 65.154.226.100 Anywhere DENY 88.99.245.93 22/tcp LIMIT Anywhere 443/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 22/tcp (v6) LIMIT Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6)