Josh Sherman
This error drove me mad. I had searched the interwebs at least a few times for
it and couldn’t find a solution. All I wanted to do was block some lame ass
script kiddie from scanning my server. I know the ufw command I was entering
was fine, because it always worked with IPv4 addresses.
For those that aren’t familiar, ufw is the “Uncomplicated Firewall”. It
provides an easy to use interface for iptables. It’s available on Ubuntu and
makes things stupid.
The command in question was ufw insert 1 deny from ::1 where ::1 was the
IPv6 address I had intended to block. For the life of me, I couldn’t figure out
why the command would work fine with IPv4 addresses and then bark about the
invalid position for IPv6 addresses.
After some experimentation with other positions, which all errored, I came to realize that the damn thing doesn’t let you insert an IPv6 address before the IPv4 addresses. The reason I insert the new blocks in the first position is because at one point I wasn’t, and the block rules were after the allow rules and it nullified the block entirely.
So what’s a boy to do? Once I realized what was going on, I just kept jumping the position number by ten until I got it to insert and not error. Brute force, FTW. It’s a pretty manageable way to go about things when you’re not maintaining a bunch of servers.
Next step would be to write a script that allows me to figure out what position
the last IPv4 address is and use that position instead. Better still, to use
the position I pass it as an offset, something like this: ufw6 insert 1 deny
from ::1 then find the last IPv4 address, let’s say 223 and incrementing it by
X and then running ufw insert 223 deny from ::1.
If anyone ends up writing this script, I’ll buy you a beer ;)
