This error drove me mad. I had searched the interwebs at least a few times for
it and couldn’t find a solution. All I wanted to do was block some script kiddie from scanning my server. I know the ufw command I was entering was fine, because it always worked with IPv4 addresses.
For those that aren’t familiar, ufw is the “Uncomplicated Firewall”. It
provides an easy to use interface for iptables. It’s available on Ubuntu and
comes installed by default
The command in question was ufw insert 1 deny from ::1 where ::1 was the
IPv6 address I had intended to block. For the life of me, I couldn’t figure out
why the command would work fine with IPv4 addresses and then bark about the
invalid position for IPv6 addresses.
After some experimentation with other positions, which all errored, I came to
realize that the damn thing doesn’t let you insert an IPv6 address before the
IPv4 addresses. The reason I insert the new blocks in the first position is
because at one point I wasn’t, and the block rules were after the allow rules
and it nullified the block entirely.
So what’s a boy to do? Once I realized what was going on, I just kept jumping
the position number by ten until I got it to insert and not error. Brute force,
FTW. It’s a pretty manageable way to go about things when you’re not
maintaining a bunch of servers.
Next step would be to write a script that allows me to figure out what position
the last IPv4 address is and use that position instead. Better still, to use
the position I pass it as an offset, something like this: ufw6 insert 1 deny then find the last IPv4 address, let’s say 223 and incrementing it by
from ::1
X and then running ufw insert 223 deny from ::1.
If anyone ends up writing this script, I’ll buy you a beer 😉
