Join Log in
Score:0
Jean Nemarre avatar Server

How can some IP addresses bypass UFW rules? I get attacks from China and other places

kh flag
Jean Nemarre

I have an Apache web server running under Ubuntu 20.04 LTS.

I allowed the access to the website only to specific ranges of IP addresses.

Everything was working fine until I saw some requests (attacks) coming from not-allowed IP addresses (China, Singapore, USA, etc.) with sometimes some nasty requests.

I double and triple checked everything and those IP addresses do not belong to allowed ranges.

I checked everywhere I could on Google as well as through questions to chatGPT.

I am now out of leads to follow to identify the cause of this security issue.

What could the reasons be?

I even started again from scratch and the issues persists. And it's a real problem that UFW cannot correctly block all those IP addresses from unwanted areas.

UPDATE: As requested, here are examples of the added rules

80,443/tcp ALLOW IN 216.252.224.0/19

80,443/tcp ALLOW IN 217.11.32.0/20

80,443/tcp ALLOW IN 217.11.208.0/20

80,443/tcp ALLOW IN 217.14.64.0/20

80,443/tcp ALLOW IN 217.20.192.0/20

80,443/tcp ALLOW IN 217.22.128.0/20

80,443/tcp ALLOW IN 217.26.32.0/20

It's simply a long list of rules of the same kind.

Let's illustrate the problem with the following example of rule:

80,443/tcp ALLOW IN 216.252.224.0/19

The IP address range 216.252.224.0/19 represents a subnet with a netmask of 255.255.224.0, which allows for 8,192 unique IP addresses. In this case, the range spans from 216.252.224.0 to 216.252.255.255 (this is what chatGPF tells me). Those are the only IP addresses starting with 216.252.xx.xx I want let go through

So, if I get a visitor with the following IP: 216.252.xxx.xx which doesn't belong to the range, then this a problem.

93
1 + 8
ufw
pt flag
larsks
"I allowed the access to the website only to specific ranges of IP addresses." How did you do this? Can you show us your UFW rules?
4
Reply
A.B avatar
cl flag
A.B
Also if there's a reverse proxy that adds X-Forwarded-For in the path + something to handle this more or less transparently on apache (mod_remoteip) then UFW (ie: iptables) won't ever see the actual IP address.
3
Reply
Jean Nemarre avatar
kh flag
Jean Nemarre
@larsks Sure. Here is a small portion of the rules: 80,443/tcp ALLOW IN 216.252.224.0/19 80,443/tcp ALLOW IN 217.11.32.0/20 80,443/tcp ALLOW IN 217.11.208.0/20 80,443/tcp ALLOW IN 217.14.64.0/20 80,443/tcp ALLOW IN 217.20.192.0/20 80,443/tcp ALLOW IN 217.22.128.0/20 80,443/tcp ALLOW IN 217.26.32.0/20
0
Reply
Jean Nemarre avatar
kh flag
Jean Nemarre
@larsks As far as I understand things, since I am not an expert on the matter, all the IP addresses outside of the ranges allowed shouldn't make their way through UFW. It works great for most of the attempts, but some successfully go through. And I can't understand why and more importantly, how to avoid it. All the other IP are banned by default.
0
Reply
Jaromanda X avatar
ru flag
Jaromanda X
can you add those rules to the question, where they will be a little easier to read
1
Reply
Tim avatar
gp flag
Tim
Please add detail to your question, including the rules in a format that's simpler to read. Also consider adding AWS managed firewalls, such as security groups for whitelists, AWS WAF, etc, and you can use NACLs to deny access from specific IPs if required.
0
Reply
Jean Nemarre avatar
kh flag
Jean Nemarre
@ Jaromanda X Done.
0
Reply
Jean Nemarre avatar
kh flag
Jean Nemarre
@ Tim Thanks for those suggestions.
0
Reply
Score:0
avatar Server
ne flag
davidgo

Its impossible to answer definitively without knowing all your rules, but a couple of things to check -

Is your default rule allow or deny? If its allow, do you have a deny rule that catches all traffic?

Rules are order specific, so if you have an allow rule before a deny rule the deny rule may exist in your firewall but will never be hit. I don't use UFW (preferring the underlying iptables directly). If you do

  sudo iptables -vnL

It will list all the firewall rules for your main table - the first number for each line is the number of hits a firewall received. Looking at the order of the rules and the rules that are being hit/not being hit will likely give you some clues as to where the problem is.

+ 3
Jean Nemarre avatar
kh flag
Jean Nemarre
Thanks a lot for your message and your suggestions. I had a look as you suggested but I can't see anything wrong. And the order of the rules seems ok as well. So I remain a little bit confused about what to do next...
0
Reply
ne flag
davidgo
Did you check if the default is deny or allow, and look at the counters for hits? If you are not using them for anything else, you may want to zero the counters and then rerun the rules after a short while to get a feel for them. You can do this with "iptables -Z"
0
Reply
Jean Nemarre avatar
kh flag
Jean Nemarre
I checked the default and it is correctly "deny". I will do as you suggest. Thanks again for your valuable input, I really appreciate.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.