How Do I Block an IP Address on My Linux server?

by on March 29, 2006 · 41 comments· LAST UPDATED August 2, 2010

in , ,

How do I block an IP address or subnet under Linux operating system?

In order to block an IP on your Linux server you need to use iptables tools (administration tool for IPv4 packet filtering and NAT) and netfilter firewall. First you need to log into shell as root user. To block an IP address you need to type the iptables command as follows:

Syntax to block an IP address under Linux

iptables -A INPUT -s IP-ADDRESS -j DROP

Replace IP-ADDRESS with your actual IP address. For example, if you wish to block an ip address 65.55.44.100 for whatever reason then type the command as follows:
# iptables -A INPUT -s 65.55.44.100 -j DROP
If you have IP tables firewall script, add the above rule to your script.

If you just want to block access to one port from an ip 65.55.44.100 to port 25 then type command:
# iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP
The above rule will drop all packets coming from IP 65.55.44.100 to port mail server port 25.

CentOS / RHEL / Fedora Block An IP And Save It To Config File

Type the following two command:
# iptables -A INPUT -s 65.55.44.100 -j DROP
# service iptables save

How Do I Unblock An IP Address?

Use the following syntax (the -d options deletes the rule from table):
# iptables -D INPUT -s xx.xxx.xx.xx -j DROP
# iptables -D INPUT -s 65.55.44.100 -j DROP
# service iptables save

See also:

  1. You can write a shell script to block lots of IP address and subnets.
  2. Iptables: Unblock / Delete an IP Address Listed in IPtables Tables
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 41 comments… read them below or add one }

1 dewanand singh February 19, 2007 at 4:10 am

hi dear,

h a u?

i have aproblem to ristrick the wab page on client side.

i have linux server to run internt. i make gateway on that server and use it on other system to run internet.

her i want to on clint system only my specify wab pages is open.

plz u can help me how i confuger it.

my network is on workgroup

thnks
dewa

Reply

2 Rohit Basu February 22, 2008 at 6:52 am

Ther are two solution:

1) the best practice you use a proxy server like suqid in the gateway machine. Then define ACL on the squid.
say you want to deny access to yahoo.com and rediffmail.com.
acl all src 0.0.0.0/0.0.0.0
acl web_yahoo dest yahoo.com
acl web_rediff dest rediff.com

http_access deny web_yahoo all
http_access deny web_rediff all

2) this option is throhgh iptables, assume that your gateway acts as a firewall.

iptables -A INPUT -p tcp –destination-port 80 -d -j DROP

it will drop any request to port 80 of yahoo from any source.

Reply

3 pradeep May 16, 2008 at 5:02 am

i want to connect internet on local pc by user from server

Reply

4 Shiva May 24, 2008 at 7:05 am

Please send me the code in Linux c to block the website typed on the browser. or send the references where i can get

Reply

5 Chris June 21, 2008 at 7:19 am

Hi I added:

iptables -A INPUT -s 80.58.205.35 -j DROP

and kept checking my apache logs, after a short pause of no requests from 80.58.205.35

it resumed ?? Could this mean I have been hacked ?

EG:
80.58.205.35 - - [21/Jun/2008:17:10:40 +1000] "GET /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////photogallery.php?album_id=1 HTTP/1.1" 200

Reply

6 nixCraft June 21, 2008 at 8:04 am

You need to add iptables -A INPUT -s 80.58.205.35 -j DROP to your firewall script. Once added 80.58.205.35 cannot connect to your apache. Do you run any special firewall script such as apf?

Reply

7 joel July 31, 2008 at 7:57 am

hi,
i need an iptable rule for a website(www.webmd.com) not to go through squid(proxy).could you pls send me the iptable rule for this one?

thanks

Reply

8 S. Nilesh July 31, 2008 at 12:29 pm

joel, i think you do it without iptables rule using squid configuration and I don’t think its possible to have such a rule. What do you say vivek ?

Reply

9 nixCraft July 31, 2008 at 12:35 pm

Yes, nilesh is right. It all depends upon your setup. Do you have squid proxy installed? If so there is an option to skip webmd.com from squid cache using ACL. Iptables is for filtering and restricting traffic.

Reply

10 joel August 1, 2008 at 1:02 am

@vivek and S. Nilesh,

yes i have a squid transparent proxy caching server and firewall in the same box.could you kindly post here the acl rules to bypass webmd from going through squid. btw im using the old 2.5 stable 6 version.thank you very much to both of you for responding to my question.

joel

Reply

11 S. Nilesh August 1, 2008 at 9:08 am

joel, try this –

acl webmd dstdomain .webmd.com
always_direct webmd

it should do it for you…

Reply

12 joel August 4, 2008 at 9:09 am

@ S. Nilesh,

thank you so much.that really works!! :)

Reply

13 joel August 8, 2008 at 10:39 am

@ S.Nilesh and Vivek,

hi again,

i thought i should ask this question. how would you allow https traffic for one particular site on the network but restrict all other https traffic with an iptable rule.i have users bypassing my proxy redirector(squidguard) using https and i cannot block port 443 on my firewall because it is being used by a remote GUI application which is also being used by my users.

Reply

14 j sox January 8, 2009 at 9:51 am

lol dont use -A

im not an iptables guru, but ive fought off plenty of attacks, and hack attempts, heres how chain worx k,
# Drop
rule 1
rule 2
rule 3
end of chain default rule (drop all or accept all however)
rule4 your new rule

so if you use the -A which is the add option its going to add to the drop chain right,
which will put it after an absolute depending on who or how your iptables is setup.
after an absolute is parsed, by iptables it wont read any further into the chain, there for your add option will never work as good as the insert flag -I

# drop

rule1
rule2
rule3
rule4 – our new rule here
drop all

make sense?

Reply

15 Shibin May 12, 2009 at 3:17 pm

Hi all,

Are these IP table entries are permanent? Recently I had blocked an IP using the step mentioned above. ( i.e. iptables -A INPUT -s 124.118.247.4 -j DROP ) I wanted to know, if my server reboots, does that entry can withstand the reboot or will loose upon reboot?

Reply

16 nixCraft May 13, 2009 at 9:36 am

@Shibin,

Noop, you need to write a shell script to keep them alive after reboot.

Reply

17 kid August 15, 2009 at 8:32 pm

how to block all ip and allow access to only one ip?

Reply

18 Mikey April 2, 2011 at 2:23 am

iptables -I INPUT -s ! {IP ADDRESS} -j DROP

The Bang character (!) basically means NOT, so the line above would say drop ALL packets NOT going to ip address

Reply

19 ecommy December 31, 2009 at 10:46 am

why it’s working only if I use it like that? (not iptables -A INPUT -s 86.34.187.86 -j DROP)
iptables -I INPUT -s 86.34.187.86 -j DROP

Reply

20 Mouli February 2, 2010 at 3:17 pm

Hi !!
I have RHEL5 installed and i have tried the command #iptables -A INPUT -s -j DROP. i hv logged into root and opened terminal…..and then typed this… bt it didn’t work!! Plz tell me the actual way to run this command… i really need this very urgently…

Reply

21 Mouli February 2, 2010 at 3:18 pm

Hi !!
I have RHEL5 installed and i have tried the command #iptables -A INPUT -s IP ADDRESS -j DROP. i hv logged into root and opened terminal…..and then typed this… bt it didn’t work!! Plz tell me the actual way to run this command… i really need this very urgently…

Reply

22 Bappy February 19, 2010 at 2:55 am

Do anyone know how to block IP like that >
202.56.***.*** that means under 202.56. all IP will be blocked.

Regards,
Admin
Centriohost.com

Reply

23 faisu February 24, 2010 at 4:29 am

hello

how to setup youtube access for specific ip through acl ????

Reply

24 rohit singh June 16, 2010 at 5:19 am

i am not able block one particuler ip address plz suggest me

Reply

25 nacks October 30, 2010 at 1:53 pm

Try $IPT -I INPUT -s IP_ADDRESS -j DROP

Reply

26 Zach Browne August 24, 2010 at 9:23 am

I am having some problems leaving a remark. I’ve attempted refreshing several times as well as closing and opening opera. Is anyone else having a problem on this article?

Reply

27 nixCraft August 25, 2010 at 5:16 am

Do you see any specific error?

Reply

28 Mehmet Karabulut January 29, 2011 at 10:05 pm

iptables rules explained very clearly. Thank you.

Reply

29 Aditya March 23, 2011 at 9:29 pm

Hi Vivek
This site is very useful and provides “to the point” information. Keep up the good work.

Aditya
Unix aficionado

Reply

30 Ben April 14, 2011 at 10:59 pm

I tested this and blocked the ip from my phone through ip tables. It didn’t block anything i could still ssh in i could still browse the website I host on this server and connect via ftp so I went into my iptables file
and typed this
-A PREROUTING -s PhoneIPAddress -j DROP
saved closed
service restart iptables
and then my phone had no access what so ever. Is this just a different way or am I going to run into problems by blocking ip addresses at the PREROUTING level

Reply

31 shadowtrooper May 14, 2011 at 12:45 pm

hi
i am new with IP tables stuff and i have a problem….
i have a pc Contain a fedora OS and i want to make a small network (4 PCs Contain XP OS) and using the pc of fedora OS as a firewall
i want to Prevent the ping (i think it called(ICMP)) in the privat network and prevent one of the PCs from Browsing internet(prevent port 80 and 81 as i think)
and i still don’t know how to make the internet go Through the firewall to the private network…

note: WAN = eth0
LAN = eth1
any one can help plz!!!!

Reply

32 Nivetha August 16, 2011 at 8:28 am

how can i check whether the iptables is blocked or not

Reply

33 barney stinson September 15, 2011 at 9:12 am

How can I block connections ONLY TO port 80 of a range of addresses?

I do not want to create 300 single rules for.port 80. Port constraint required as must allow traffic to port 443

Reply

34 barney stinson September 15, 2011 at 11:40 am

Not blocking any of the addresses in the range:

iptables -A INPUT -s 5.5.5.0/22 -p tcp –destination-port 80 -j DROP

iptables 1.4.10 (android)

Thoughts?

Reply

35 ronald September 27, 2011 at 7:19 am

thanks for the short lesson of the command. very help full.

Reply

36 lalus November 16, 2011 at 2:29 am

i want my client with ip 192.168.1.1 can access http://www.google.com only not else.
whats is the iptables command?

Thanks

Reply

37 Alessio January 28, 2012 at 3:16 pm

I have a csv file with the ip list, I can block all ip in this file?

Reply

38 Mazhar Shahzad October 21, 2012 at 6:05 am

I want to Block IPs
an easy step in cpanel to block ip

Reply

39 Domtoren August 18, 2013 at 6:53 am

If you have other rules in your INPUT chain you do need to use the -I option to insert your block at the top of the chain.

iptables -I INPUT -s 6.7.8.9 -j DROP

to block ip-adres 6.7.8.9.

Reply

40 mohit October 6, 2013 at 3:51 pm

hi there,
i have an error called 705 (failure to connect web server) when i upload the website on the server .
it bocks my ip because all other net connection open it so plz give me the better solution for that.

Reply

41 rupesh February 17, 2014 at 12:23 pm

it working fine.
i am able to block ip address and unblock it. fine working.

but how to block a user ??

as a user using same mobile and changing ip-address and able to access server.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: