How to block an IP address or IP range

We’ll start with a few of the basic commands.

First off, here’s how to prevent a specific IP Address from accessing your server with the iptables block ip command. Replace [IP] with the IP you actually want to block:

iptables -A INPUT -s [IP] -j DROP

If you’re looking to block a specific range of IP addresses, meanwhile; type in the following, replacing [START] and [END] with the endpoints of the range (via Chron):

iptables -A INPUT -m iprange –src-range [START]-[END] -j DROP

You can also block an entire subnet from accessing your website with

iptables -i eth1 -A INPUT -s [SUBNET ADDRESS] -j DROP

Blocking a connection on a specific interface

Now, let’s say you only want to block a connection through a specific interface. In that case, the command will be as follows:

iptables -A INPUT -i [Interface Name] -s [IP] -j DROP

You can add a + to the end of the interface name to block any interface whose name begins with the characters you’ve entered.

How to block a port

If you want to block a connection on a specific port, then you’ll use the following iptables block port command:

iptables -A INPUT -s -p tcp –destination-port 25 -j DROP

Viewing IP Blocks

If at any time you want to view your list of blocked IP addresses, you can either use

iptables -L -v or /sbin/iptables -L INPUT -v

Removing IP Blocks

While viewing that list, you can delete specific entries using the iptables open port command or iptables allow port command. Use the following commands, in order:

iptables -L INPUT -n –line-numbersiptables -D INPUT [LINE]iptables -L INPUT -v -n

Of course, if you know which specific entry you want to be rid of, the following syntax will work just as well using the iptables drop ip command:

iptables -D INPUT -s -j DROP

Assuming you want to log dropped address information, you can also turn on kernel logging with: iptables -i eth1 -A INPUT -s [IP/SUBNET] -j LOG –log-prefix “IP DROP SPOOF A:”

See Also: (Live Webinar) Meet ServerMania: Transform Your Server Hosting Experience

Searching Blocked IPs

Next up, you can search your blocked IP addresses with:

iptables -L INPUT -v -n | grep [IP]

Saving Changes

Finally, in order to save the changes you’ve made to your iptables block list on CENTOS, RHEL, or Fedora, you’ll need to use the command service iptables save.

Additional Commands You Can Use To Block Traffic

The commands above form the basic framework of IP blocking within iptables, but they aren’t exactly comprehensive. If you really want to cut yourself off from an IP address, there are a few additional commands you’ll want to make yourself aware of. They are as follows:

  • -OUTPUT: Prevents TCP connections with a server, and blocks outgoing traffic. Syntax is iptables -A OUTPUT -s [IP] -j DROP
  • -FORWARD: Blocks all forwarding traffic. Syntax is iptables -A FORWARD -s [IP] -j DROP
  • tcp: Like Output, blocks TCP connections. Syntax is iptables -A INPUT -p tcp -s [IP] -j DROP
  • icmp: Blocks port probing. Syntax is -A INPUT -p icmp -s [IP] -j DROP

Building Your iptables Block List

Now that you’ve been primed on the basics of iptables, you can create your own blacklist following these commands:

1. First, flush out all the old default rules and existing rules with the flush command:

iptables -F

2. Next, change your default chain policy with the following set of commands:

iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP

3. Set up IP blocking as you see fit using the commands in the previous section.

A Few Extra Resources

We’ll leave off today’s piece with a few awesome tips, tricks, and words of advice regarding some of the stuff you can do with iptables. First off,  if you’re looking for a script that will automate the banning of abusive IPs, Fail2Ban is an excellent choice.

Next, our knowledge base contains dozens of other tutorials to help you use your Linux server. Our article on securing a linux server is a great start. Continue browsing to learn more.