This error drove me mad. I had searched the interwebs at least a few times for it and couldn’t find a solution. All I wanted to do was block some lame ass script kiddie from scanning my server. I know the ufw command I was entering was fine, because it always worked with IPv4 addresses.

For those that aren’t familiar, ufw is the “Uncomplicated Firewall”. It provides an easy to use interface for iptables. It’s available on Ubuntu and makes things stupid.

The command in question was ufw insert 1 deny from ::1 where ::1 was the IPv6 address I had intended to block. For the life of me, I couldn’t figure out why the command would work fine with IPv4 addresses and then bark about the invalid position for IPv6 addresses.

After some experimentation with other positions, which all errored, I came to realize that the damn thing doesn’t let you insert an IPv6 address before the IPv4 addresses. The reason I insert the new blocks in the first position is because at one point I wasn’t, and the block rules were after the allow rules and it nullified the block entirely.

So what’s a boy to do? Once I realized what was going on, I just kept jumping the position number by ten until I got it to insert and not error. Brute force, FTW. It’s a pretty manageable way to go about things when you’re not maintaining a bunch of servers.

Next step would be to write a script that allows me to figure out what position the last IPv4 address is and use that position instead. Better still, to use the position I pass it as an offset, something like this: ufw6 insert 1 deny from ::1 then find the last IPv4 address, let’s say 223 and incrementing it by X and then running ufw insert 223 deny from ::1.

If anyone ends up writing this script, I’ll buy you a beer ;)





Did you enjoy this post?

Cool if I slip into your inbox with more?
Full posts, 1-2 times per week: