Please enable JavaScript to view this site.
Sometimes you may find the need to block a range of IP addresses. I will use archive.org or the
You will need to install the following Apache modules if you do not already have them.
* See the comments in the Reply below about upgrading to Ubuntu 23.10 and 24.04.
Click the 'Yes' button in response to the system questions.
Now let's enable netfilter-persistent so that it can save our new rules. Without it, all our new rules would be wiped out at the next reboot.
Now let's create a blacklist group and add archive.org's IP address range to the group.
The add blacklist rule above covers all IP addresses from 207.241.224.0 to 207.241.224.256. However, the wayback IP address range is much larger: 207.241.224.0 - 207.241.239.255. So the add blacklist command can be written as follows to capture all the IP addresses:
sudo ipset add blacklist 207.241.224.0/20
I've also caught archive.org using the following two amazon addresses: 3.236.138.35 and 3.237.27.159. The wayback machine is operating out of the amazon northern Virginia data center. Just to be safe, you could block the entire data center:
sudo ipset add blacklist 3.224.0.0/12
Note: You will need to re-run the save command. In fact, every time you add new IP addresses to the blacklist group, you will need to re-run the command:
Running the save command will update the file located at:
A CIDR address calculator such as https://www.ipaddressguide.com/cidr is helpful.
Now, let's create a rule to add the blacklist group to iptables.
If you want to review the IP addresses in your blacklist (replace
You willl also want to check the iptables rules to make sure that your blacklist is included:
You can always add more IP addresses to your blacklist. Here I am adding the domain range for domaintools.com since I consider them to be a nuisance.
After adding more IP addresses to the blacklist, you will again need to re-run the save command to make them persistent (i.e. carry over after the next reboot):
wayback machineas an example. Archive.org ignores robot texts and makes copies of your website even when you ask them not to. Therefore, it becomes necessary to block them. Here's how you do it.
You will need to install the following Apache modules if you do not already have them.
sudo apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent *
* See the comments in the Reply below about upgrading to Ubuntu 23.10 and 24.04.
Click the 'Yes' button in response to the system questions.
Now let's enable netfilter-persistent so that it can save our new rules. Without it, all our new rules would be wiped out at the next reboot.
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
Now let's create a blacklist group and add archive.org's IP address range to the group.
sudo ipset create blacklist hash:net hashsize 4096
sudo ipset add blacklist 207.241.224.0/24
sudo ipset add blacklist 207.241.224.0/24
The add blacklist rule above covers all IP addresses from 207.241.224.0 to 207.241.224.256. However, the wayback IP address range is much larger: 207.241.224.0 - 207.241.239.255. So the add blacklist command can be written as follows to capture all the IP addresses:
sudo ipset add blacklist 207.241.224.0/20
I've also caught archive.org using the following two amazon addresses: 3.236.138.35 and 3.237.27.159. The wayback machine is operating out of the amazon northern Virginia data center. Just to be safe, you could block the entire data center:
sudo ipset add blacklist 3.224.0.0/12
Note: You will need to re-run the save command. In fact, every time you add new IP addresses to the blacklist group, you will need to re-run the command:
sudo netfilter-persistent save
Running the save command will update the file located at:
/etc/iptables/ipsets
A CIDR address calculator such as https://www.ipaddressguide.com/cidr is helpful.
Now, let's create a rule to add the blacklist group to iptables.
sudo iptables -I INPUT -m set --match-set blacklist src -j DROP
If you want to review the IP addresses in your blacklist (replace
blacklistwith any other name that you might have chosen for the group):
sudo ipset list blacklist
You willl also want to check the iptables rules to make sure that your blacklist is included:
sudo iptables -L --line-numbers
You can always add more IP addresses to your blacklist. Here I am adding the domain range for domaintools.com since I consider them to be a nuisance.
sudo ipset add blacklist 141.193.213.0/24
After adding more IP addresses to the blacklist, you will again need to re-run the save command to make them persistent (i.e. carry over after the next reboot):
sudo netfilter-persistent save
* posted by Robert on Thu, Aug 04, 2022
Reply 1:
When updating to Ubuntu 23.10 and 24.04, I found that ipset was no longer installed. I tried to reinstall, but found that the packages ipset-persistent, iptables-persistent, and netfilter-persistent were incompatible with the DEB package version of the ufw firewall. After installation of the ipset packages, the ufw firewall locked me out of the website.
Consequently, it was necessary to restore an earlier website snapshot and remove the DEB package version of the ufw firewall -
Once the Snap firewall was in place, I removed the files in the following folder:
Note: A Snap bundles an application and all its dependents into one compressed file. It runs in its own mini-container and plays well with other applications. The ufw DEB package installed through the apt command wants to remove ipset-persistent, iptables-persistent, and netfilter-persistent. This was never a problem with Ubuntu 22.04, but the problem arose when upgrading to 23.10. I also found with 23.10 and higher, that if I installed the ufw DEB package, I could not open a port for SSH access before activating the firewall. I had to activate the ufw firewall first without an open port for SSH. Then, as soon as I activated the firewall, I was locked out. There are still some ufw-related bugs in the newer versions of Ubuntu.
Consequently, it was necessary to restore an earlier website snapshot and remove the DEB package version of the ufw firewall -
sudo apt autoremove ufw, and then install the Snap containerized version of ufw -
sudo snap install ufw. After installing the Snap version of the ufw firewall, I then opened the needed ports and activated the firewall.
Once the Snap firewall was in place, I removed the files in the following folder:
/etc/iptablesand installed the packages ipset-persistent, iptables-persistent, and netfilter-persistent.
Note: A Snap bundles an application and all its dependents into one compressed file. It runs in its own mini-container and plays well with other applications. The ufw DEB package installed through the apt command wants to remove ipset-persistent, iptables-persistent, and netfilter-persistent. This was never a problem with Ubuntu 22.04, but the problem arose when upgrading to 23.10. I also found with 23.10 and higher, that if I installed the ufw DEB package, I could not open a port for SSH access before activating the firewall. I had to activate the ufw firewall first without an open port for SSH. Then, as soon as I activated the firewall, I was locked out. There are still some ufw-related bugs in the newer versions of Ubuntu.
* posted by Robert on Fri, May 10, 2024
Reply 2:
Nftables succeeds iptables on Linux systems, and is now the default firewall. If you have migrated to
nftables, you will need to translate your ipsets from iptables to nftables.
See Moving_from_ipset_to_nftables for an explanation of the following steps:
See Moving_from_ipset_to_nftables for an explanation of the following steps:
sudo ipset save > sets.ipset
sudo ipset-translate restore < sets.ipset
sudo iptables-save
sudo ipset-translate restore < sets.ipset
sudo iptables-save
* posted by Robert on Sat, Jun 29, 2024
