I'm currently trying to block several entire /8 networks from an Ubuntu 22.04 machine running GoPhish. The idea here is to prevent GoPhish's links to be clicked by email snooping technologies. Here is my UFW status output:
Status: active
To Action From
-- ------ ----
[ 1] 172.16.99.13 443/tcp DENY IN 34.0.0.0/8
[ 2] 172.16.99.13 443/tcp DENY IN 35.0.0.0/8
[ 3] 172.16.99.13 443/tcp DENY IN 18.0.0.0/8
[ 4] 172.16.99.13 443/tcp DENY IN 13.0.0.0/8
[ 5] 443 DENY IN 34.220.0.0/16
[ 6] 443 DENY IN 34.218.0.0/16
[ 7] 443 DENY IN 34.214.0.0/16
[ 8] 443 DENY IN 34.0.0.0/8
[ 9] Anywhere DENY IN 40.92.0.0/15
[10] Anywhere DENY IN 54.0.0.0/8
[11] Anywhere DENY IN 52.0.0.0/8
[12] Anywhere DENY IN 44.0.0.0/8
[13] Anywhere DENY IN 40.88.0.0/13
[14] Anywhere DENY IN 35.0.0.0/8
[15] Anywhere DENY IN 34.0.0.0/8
[16] Anywhere DENY IN 18.0.0.0/8
[17] 22/tcp ALLOW IN 10.10.4.76
[18] 22/tcp ALLOW IN 172.16.100.2
[19] Anywhere DENY IN 193.105.73.213
[20] 80 ALLOW IN Anywhere
[21] 443 ALLOW IN Anywhere
[22] 9443 ALLOW IN Anywhere
[23] 22/tcp ALLOW IN 10.10.60.195
[24] 22 (v6) DENY IN Anywhere (v6)
[25] 80 (v6) ALLOW IN Anywhere (v6)
[26] 443 (v6) ALLOW IN Anywhere (v6)
[27] 9443 (v6) ALLOW IN Anywhere (v6)
I've tried to add the rules using both
sudo ufw insert 1 deny proto tcp from 34.0.0.0/8 to 172.16.99.13 port 443
and
sudo ufw insert 1 deny from 34.0.0.0/8 to any port 443
and
sudo ufw insert 1 deny from 34.0.0.0/8
But...to no avail. Here is the clicked link from GoPhish's logs:
time="2022-11-29T12:06:00Z" level=info msg="34.220.27.161 - - [29/Nov/2022:12:06:00 +0000] \"GET /?keyname=mUu3UNs HTTP/1.1\" 200 19101 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\""
What am I doing wrong here? I've checked the priority of the rules and everything appears to be fine.
