I am running Ubuntu 18 on DO droplet with Nginx.
I have set up a deny rule for IP range xxx.xxx.xxx.0/24
This is added as rule #1 in UFW to make sure the order correct and this rule will be processed as first.

However we still see IP addresses from that range hitting the website.
How is that possible, what is wrong here?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
4 answers

Hi, what’s the output of ufw status?

Things to check:

  1. Do the IP addresses fall within the subnet rule (xxx.xxx.xxx.0/24)? Any typos in the rule?
  2. Does the traffic protocol match the rule (TCP vs UDP)?
  3. What’s the port on which the traffic originates? Is it blocked/covered by the firewall rule?
  4. Is the firewall enabled? :)

@maximization,
Please see my answers below to your questions:

  1. Yes, all the mentioned ip’s fall within that subnet.
  2. The rule is DENY on any protocol/port.
  3. No port available as the info is from statcounter but not really relevant as its normal http traffic and those ip’s are blocked for ALL.
  4. Yes, checked several times, reloaded UFW just for good measure also.

Output of UFW status where you can see that rule is listed at the top as #1:

To Action From


Anywhere DENY 199.83.232.0/24
Anywhere DENY 31.28.163.0/24
Anywhere DENY 88.99.145.83
Anywhere DENY 49.248.18.252
Anywhere DENY 178.154.200.0/24
Anywhere DENY 111.206.198.0
Anywhere DENY 85.10.202.243
Anywhere DENY 65.154.226.220
Anywhere DENY 65.154.226.200
Anywhere DENY 65.154.226.100
Anywhere DENY 88.99.245.93
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

Hello, we do not use docker. This is a straightforward DO droplet with Ubuntu 18 installed for website hosting.

Output of iptables:

Chain INPUT (policy DROP 386 packets, 53604 bytes)
pkts bytes target prot opt in out source destination
7027K 807M f2b-sshd tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
19M 5424M ufw-before-logging-input all – * * 0.0.0.0/0 0.0.0. 0/0
19M 5424M ufw-before-input all – * * 0.0.0.0/0 0.0.0.0/0

1385K 115M ufw-after-input all – * * 0.0.0.0/0 0.0.0.0/0

1227K 107M ufw-after-logging-input all – * * 0.0.0.0/0 0.0.0.0 /0
1227K 107M ufw-reject-input all – * * 0.0.0.0/0 0.0.0.0/0

1227K 107M ufw-track-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all – * * 0.0.0.0/0 0.0. 0.0/0
0 0 ufw-before-forward all – * * 0.0.0.0/0 0.0.0.0/0

0 0 ufw-after-forward all – * * 0.0.0.0/0 0.0.0.0/0

0 0 ufw-after-logging-forward all – * * 0.0.0.0/0 0.0.0 .0/0
0 0 ufw-reject-forward all – * * 0.0.0.0/0 0.0.0.0/0

0 0 ufw-track-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 800 bytes)
pkts bytes target prot opt in out source destination
22M 20G ufw-before-logging-output all – * * 0.0.0.0/0 0.0.0 .0/0
22M 20G ufw-before-output all – * * 0.0.0.0/0 0.0.0.0/0

284K 20M ufw-after-output all – * * 0.0.0.0/0 0.0.0.0/0

284K 20M ufw-after-logging-output all – * * 0.0.0.0/0 0.0.0. 0/0
284K 20M ufw-reject-output all – * * 0.0.0.0/0 0.0.0.0/0

284K 20M ufw-track-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
4737K 638M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
6 468 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:137
1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:138
8 356 ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0. 0/0 tcp dpt:139
2428 125K ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0. 0/0 tcp dpt:445
1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:67
1 28 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0. 0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all – * * 0.0.0.0/0 0.0.0. 0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix “[UFW BLOCK] ”

Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
4023 305K LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix “[UFW BLOCK] ”

Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
540 39852 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
62434 29M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1624 631K ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1624 631K DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
714 54532 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
14487 1097K ufw-not-local all – * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT udp – * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp – * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
14487 1097K ufw-user-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
540 39852 ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
78966 99M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
826 55407 ufw-user-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix “[UFW ALLOW] ”

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
1546 627K RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
20 800 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix “[UFW BLOCK] ”

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
14487 1097K RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
2445 126K DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
704 45428 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
48 3698 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 199.83.232.0/24 0.0.0.0/0
0 0 DROP all – * * 31.28.163.0/24 0.0.0.0/0
4 240 DROP all – * * 88.99.145.83 0.0.0.0/0
0 0 DROP all – * * 49.248.18.252 0.0.0.0/0
0 0 DROP all – * * 178.154.200.0/24 0.0.0.0/0
0 0 DROP all – * * 111.206.198.0 0.0.0.0/0
0 0 DROP all – * * 85.10.202.243 0.0.0.0/0
0 0 DROP all – * * 65.154.226.220 0.0.0.0/0
0 0 DROP all – * * 65.154.226.200 0.0.0.0/0
0 0 DROP all – * * 65.154.226.100 0.0.0.0/0
0 0 DROP all – * * 88.99.245.93 0.0.0.0/0
1318 77152 tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
2 112 ufw-user-limit tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: s ource mask: 255.255.255.255
1316 77040 ufw-user-limit-accept tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2510 140K ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
566 31868 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain ufw-user-limit (1 references)
pkts bytes target prot opt in out source destination
2 112 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix “[UFW LIMIT BLOCK] ”
2 112 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (1 references)
pkts bytes target prot opt in out source destination
1316 77040 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination

  • I can’t spot anything weird. Could it be that the connections were already established when you added the IP rules? UFW will only block new connections and existing connections will be allowed as per this rule 62434 29M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED.

    You can enable ufw logging with ufw logging on and check your logs in /var/log/ufw*. If you find a logline with an IP that should’ve been blocked, the clue as to why it was allowed should be in there. You can post it in here and I can look with you.

Hello maximization, Alright that is a very good tip and easy to implement to check what is going on. Although there was no established connection already there from those ip’s at least we can now start logging to see why this is happening. Hopefully we can solve the issue after seeing enough log info, if not I will post the log file info here.
Thank you again.

Submit an Answer