| | 208 | |
| | 209 | '''Block an IP Address''' |
| | 210 | |
| | 211 | To block all network connections that originate from a specific IP address, run the following command, replacing the highlighted IP address with the IP address that you want to block: |
| | 212 | {{{ |
| | 213 | sudo ufw deny from 203.0.113.100 |
| | 214 | }}} |
| | 215 | |
| | 216 | {{{ |
| | 217 | Output |
| | 218 | Rule added |
| | 219 | }}} |
| | 220 | In this example, from 203.0.113.100 specifies a source IP address of “203.0.113.100”. |
| | 221 | |
| | 222 | If you run sudo ufw status now, you’ll see the specified IP address listed as denied: |
| | 223 | {{{ |
| | 224 | Output |
| | 225 | Status: active |
| | 226 | |
| | 227 | To Action From |
| | 228 | -- ------ ---- |
| | 229 | Anywhere DENY 203.0.113.100 |
| | 230 | }}} |
| | 231 | |
| | 232 | '''Block a Subnet''' |
| | 233 | |
| | 234 | If you need to block a full subnet, you may use the subnet address as from parameter on the ufw deny command. This would block all IP addresses in the example subnet 203.0.113.0/24: |
| | 235 | {{{ |
| | 236 | sudo ufw deny from 203.0.113.0/24 |
| | 237 | }}} |
| | 238 | |
| | 239 | {{{ |
| | 240 | Output |
| | 241 | Rule added |
| | 242 | }}} |
| | 243 | |
| | 244 | '''Block Incoming Connections to a Network Interface ''' |
| | 245 | |
| | 246 | To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the highlighted IP address with the IP address you want to block: |
| | 247 | {{{ |
| | 248 | sudo ufw deny in on eth0 from 203.0.113.100 |
| | 249 | }}} |
| | 250 | |
| | 251 | The '''''in''''' parameter tells '''''ufw''''' to apply the rule only for incoming connections, and the on '''''eth0''''' parameter specifies that the rule applies only for the '''eth0''' interface. This might be useful if you have a system with several network interfaces (including virtual ones) and you need to block external access to some of these interfaces, but not all. |
