I am trying to ban IPv6 address/block to accessing any part of my server with UFW,
but the usual that works for IPv4 does not work for IPv6
root@box:~# ufw insert 1 deny from 2001:41d0::/32
ERROR: Invalid position ‘1’
but IPv4 works great
root@box:~# ufw insert 1 deny from 188.165.0.0/16
Rule inserted
You cannot insert an IPv6 rule in position 1.
Instead simply do
ufw deny from IPv6addr
To add to this … in light of @murgero’s comment (thanks!)
do
ufw status numbered
which will give you a numbered list of the rules. From that list you can then insert your deny rule in the correct place by using the command you were initially but substituting the 1 with the correct position.
This is supposed to be incorrect. However a bug is preventing it (and has been for years it looks like)
a patch was just recently proposed to ubuntu for this:
IPv6 rules cannot be inserted before ay IPv4 rules for now. but this will change in the future.
(However this might be irrelevant as IPv6 IPs are not processed against IPv4 rules so a deny rule for IPv6 just needs to be insert before all other IPv6 rules)
Thank you @alento and @murgero.
It is working:
[105] Anywhere (v6) DENY IN 2001:41d0::/32
[106] 22 (v6) ALLOW IN Anywhere (v6)
[107] 53 (v6) ALLOW IN Anywhere (v6)
[108] 25/tcp (v6) ALLOW IN Anywhere (v6)
[109] 587 (v6) ALLOW IN Anywhere (v6)
[110] 993 (v6) ALLOW IN Anywhere (v6)
[111] 995 (v6) ALLOW IN Anywhere (v6)
[112] 4190/tcp (v6) ALLOW IN Anywhere (v6)
[113] 80 (v6) ALLOW IN Anywhere (v6)
[114] 443 (v6) ALLOW IN Anywhere (v6)