Blocking IP or whitelisting IP addresses with UFW

UFW is the acronym for the Uncomplicated Firewall application used to administer your firewall rules on Ubuntu, Debian, and Arch Linux. As you proactively manage your firewall to avoid cyberattacks, blocking internet protocol (IP) addresses or whitelisting only those IPs allowed are two different firewall management approaches that can assist you. Regardless of the approach, all system administrators want to manage the incoming network traffic and firewall security to stop bad actors with harmful intentions.

Key points

By reading this article, you will gain knowledge in the following areas:

• Understanding the importance of blocking IP and whitelisting IP addresses.
• Implementing and enabling the IP Blocking and IP Whitelisting features in UFW.
• Blocking IP addresses using the deny or reject commands.
• Whitelisting IP addresses using the allow command.
• Deleting a UFW rule that was added in the past.
• Reviewing the practical uses of the IP Blocking and IP Whitelisting features in UFW.

Understanding the importance of blocking IP and whitelisting IP addresses

Blocking IP and whitelisting IP addresses helps system administrators manage the quality of network traffic and reduce unwanted traffic. Undesirable traffic includes that from sources of Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks, for example.

What is IP Blocking?

IP Blocking is a method of preventing access to a server or website from a particular IP address. This blocking of IP addresses can be achieved by configuring the firewall application, such as UFW on Linux. Add and manage your firewall rules written with specific deny and reject logic per IP address. The UFW firewall application supports the Linux distributions of Ubuntu, Debian, and Arch Linux. The essential reason why IP Blocking is used is to stop unwanted DDoS/DoS attacks and other hacking attempts.

What is IP Whitelisting?

IP Whitelisting, which can also be done on an Apache HTTP Server, or any web server for that matter, is the methodology of only allowing specific IP addresses or a list of specific IP addresses that are trusted in the network. Whitelisting IP addresses makes your environment secure by only allowing IPs that are part of your extended organization. Employing the concept of IP Whitelisting, you can better control access to servers, databases, and other resources on the network. To be clear, this method blocks all IPs. It will only allow the IP addresses belonging to the network-based devices you define as trustworthy.

How do you implement the IP Blocking and IP Whitelisting features in UFW

UFW is the included firewall software that comes with the latest version of Ubuntu and Ubuntu Server. It lets you manage the internet filter and firewall rules on the OS. Before diving deep into how to use Uncomplicated Firewall, as the first step, we need to check if UFW has been installed:

$ sudo apt-get install ufw

This command above installs the Uncomplicated Firewall on your system if it is not yet present. If present, it will just reinstall UFW on top of the existing installation. Setting up the UFW firewall configuration is a user-friendly process, which is a plus. Overall, UFW is a great security application for protecting the server by leveraging IPv4 and IPv6 protocols. Its proper setup and configuration should be high on the list of action items for all admins bringing a new Linux server online.

How do you enable UFW in Linux?

After the installation is completed, the first step is to enable UFW using the following command:

$ sudo ufw enable

This command will help turn on the UFW firewall. Once enabled, you can perform the primary tasks that will help you in whitelisting IP addresses and blocking them as necessary.

Blocking IP addresses using the deny or reject commands

When blocking IPs, you can employ the deny or reject commands.

Denying an IP address

The blocking of IP addresses in UFW is a very simple and straightforward process when using the deny command:

$ sudo ufw deny from <ip-address-here>

When using the deny command, you must specify the IP address that you want to block where you see the <ip-address-here> placeholder in the command snippet above. Once you provide the IP address, UFW will block that IP if it sees the specified IP address as the incoming IP value.

For example, if you want to deny all the requests from the IP address 207.4.7.333, then the deny command will be written as follows:

$ sudo ufw deny from 207.4.7.333

Rejecting an IP address

In the previous section, we saw "how to deny" the IP address. However, there is a difference between the denial and rejection of an IP address. In rejecting the IP address, the bad actors — when attacking via a particular port — will not be able to connect to the port of the host system. The rejection feature will provide them with a message stating that the port is unreachable. The significant difference between the two is that the reject firewall rule configuration will send a message back, whereas the deny firewall rule configuration will silently drop the packet, but not send a message:

$ sudo ufw reject from 203.5.3.33

How do you deny access through a port?

In UFW, you can also provide protocols like RDP, UDP, TCP, ANY, etc., to reject the connection. The protocol must be defined by using a forward slash character after the port value:

$ sudo ufw deny PORT/PROTOCOL

Suppose you want to block the users from accessing port 3306, which is used for MySQL. Then, you must use the following command to use UDP as the protocol:

$ sudo ufw deny 3306/UDP

How do you deny access to a specific IP address via a specific port?

There are many way to protect your server from hackers. In this section, we will look at how to deny access to a specific IP via a specific port:

$ sudo ufw deny from IPADDRESS to PROTOCOL port PORTNUMBER

In the above syntax, we can deny a particular IP address from using a particular port. Suppose you want to deny an IP address 192.4.5.3 from port 22. You can use the following command:

$ sudo ufw deny from 192.4.5.3 to any port 22

So, in this way, you can deny a particular IP from accessing the port you specify. This method is very effective because it does not entirely reject the device. It only targets the particular port and the IP address for which we have created the UFW rule.

Whitelisting IP addresses using the allow command

Using UFW, we can "easily allow connections" to a port directly:

$ sudo ufw allow PORT

If you want to allow a particular port — allowing SSH port 22 in our example below — then the command will be:

$ sudo ufw allow 22

Allowing access for an IP address

The easy way to allow access to an IP address is to use the command below:

$ su$ sudo ufw allow from <ip-address>

Remember to replace the <ip-address> placeholder with the actual value. Consider the below example where we want to whitelist a particular IP from outside or inside of the organization, where the IP address is 192.168.3.2:

$ sudo ufw allow from 192.168.3.2

This way, you can easily allow access or whitelist the IP.

How do you allow access to a particular port from a certain IP address

With this command below, you can easily allow a specific port from a certain IP address, and also you can provide the protocol:

$ sudo ufw allow from TARGET to DESTINATION port PORTNUMBER proto PROTOCOL

In the above code, we can see the TARGET is the IP address for which you want to allow the connection. The DESTINATION is the IP address that the TARGET is permitted to access, and PORTNUMBER is the port that the TARGET can access from the DESTINATION IP address.

For example, if a user with IP address 192.158.4.3 wants to access the IP 192.78.3.2 using port 22, which is the SSH port, then the command will go in the following way:

$ sudo ufw allow from 192.158.4.3 to 192.78.3.2 port 22 proto tcp

This way, the TARGET can access the port as per the details above. Also, this method provides a bit more security than the very general example above it.

How do you allow incoming connections to a network interface

Suppose you are using a Liquid Web VPS. In this scenario, you will have a network interface from which you can configure the incoming connections. For example, you may want to add a particular IP address to your VPS eth0 interface. In that case, the following rule can be added to the interface eth0:

$ sudo ufw allow in on eth0 from 122.45.56.2

In this way, you can allow the IP address 122.45.56.2 to access the VPS eth0 port and you will receive the following output confirmation that the new UFW rule was added:

Output:
 Rule Added

How do you delete a UFW rule once added?

This section will look at how to delete a UFW rule once it is created. Suppose you have created a UFW rule to allow or deny an IP address, and now you want to remove that rule. Then, you can use the following command to do so:

$ sudo ufw delete allow from 122.45.56.2

This command will delete the allow rule that we created in the above section. Another workaround for deleting a UFW rule is to delete it via the numbered rules list:

$ sudo ufw status numbered

This command will provide all the rules in a numbered manner. Then, you can delete the rules corresponding to a specific number in the list:

Output:
1	Anywhere		ALLOW	      122.45.56.2
2	Anywhere		DENY		203.5.3.33

As you can see in the above output, UFW rules listed will appear in a numbered fashion from which you can delete a particular rule using its number via the following command:

$ sudo ufw delete 1 

Practical uses of the IP Blocking and IP Whitelisting features in UFW

Blocking and allowing IP addresses helps in protecting against unauthorized access. Blocking malicious IPs will prevent unwanted access to login pages and servers. Conservative IP rules help secure services that are crucial for your business. For example, database administrators may be whitelisted using IP details that only gives them access the MongoDB or MySQL service. Also, as another example use case, web administrators may only be provided access to the HTTP and TCP ports.

Stay ahead of your potential online assailants by mitigating DDOS attacks with UFW. So, by definition, DDOS is a Distributed Denial of Service attack where multiple systems from the same place attack a particular server. By blocking their subnet, we can quickly stop the coordinated DDOS attack. By blocking malicious traffic and unwanted links, you can keep server resources safe. By employing UFW, you can improve and manage your remote access policies effectively — so that there is a clear abstraction on each level, adding more layers of security to your online infrastructure.

Managing Linux server security by blocking IP and whitelisting IP addresses

Whitelisting and blocking IP addresses is an integral part of managing the health and security profile of your Linux servers. UFW is a potent tool that helps us effectively manage IP addresses for the enhanced security presence we want. By learning and managing UFW, organizations can easily mitigate the threats that they expect — and often receive.

The level of security offered by UFW is required in modern times as cybersecurity threats are increasing day by day. So an excellent firewall application, strong firewall rules, and a good understanding of proven authentication methods are needed to keep your servers secure. Liquid Web provides a very easy-to-use dashboard and high-performance Linux servers that come hardened with world-class security infrastructure, applications, and policies. Partner with us on your next website to see how serious we are about securing your technology stack from end to end.