Linux: Block Port With IPtables

by on December 10, 2010 · 19 comments· LAST UPDATED December 10, 2010

in

How do I block port number with iptables under Linux operating systems?

Port numbers which are recognized by Internet and other network protocols, enabling the computer to interact with others. Each Linux server has a port number (see /etc/services file). For example:

  1. TCP port 80 - HTTP Server
  2. TCP port 443 - HTTPS Server
  3. TCP port 25 - Mail Server
  4. TCP port 22 - OpenSSH (remote) secure shell server
  5. TCP port 110 - POP3 (Post Office Protocol v3) server
  6. TCP port 143 - Internet Message Access Protocol (IMAP) — management of email messages
  7. TCP / UDP port 53 - Domain Name System (DNS)

Block Incoming Port

The syntax is as follows to block incoming port using IPtables:

 
/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
 
### interface section use eth1 ###
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
 
### only drop port for given IP or Subnet ##
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
 

To block port 80 (HTTP server), enter (or add to your iptables shell script):
# /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
# /sbin/service iptables save

Block Incomming Port 80 except for IP Address 1.2.3.4

# /sbin/iptables -A INPUT -p tcp -i eth1 -s ! 1.2.3.4 --dport 80 -j DROP

Block Outgoing Port

The syntax is as follows:

 
/sbin/iptables -A OUTPUT -p tcp --dport {PORT-NUMBER-HERE} -j DROP
 
### interface section use eth1 ###
/sbin/iptables -A OUTPUT -i eth1 -p tcp --dport {PORT-NUMBER-HERE} -j DROP
 
### only drop port for given IP or Subnet ##
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
 

To block outgoing port # 25, enter:
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/service iptables save

You can block port # 1234 for IP address 192.168.1.2 only:
# /sbin/iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 1234 -j DROP
# /sbin/service iptables save

How Do I Log Dropped Port Details?

Use the following syntax:

# Logging #
### If you would like to log dropped packets to syslog, first log it ###
/sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "PORT 80 DROP: " --log-level 7
 
### now drop it ###
/sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
 

How Do I Block Cracker (IP: 123.1.2.3) Access To UDP Port # 161?

 
/sbin/iptables -A INPUT -s 123.1.2.3 -i eth1 -p udp -m state --state NEW -m udp --dport 161 -j DROP
 
# drop students 192.168.1.0/24 subnet to port 80
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
 
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 19 comments… read them below or add one }

1 Spyros December 11, 2010 at 8:51 am

I was actually looking for a good iptables reference, this one seems to do the trick, thanx !

Reply

2 moinul May 8, 2011 at 4:30 am

i need ip block for internet service.

Reply

3 myne July 21, 2011 at 8:20 am

How to block all except one IP.

Reply

4 Sux November 13, 2011 at 12:50 am

The “Block Incoming Port 80 except for IP Address 1.2.3.4″ section is wrong.
The ‘-s’ and ’1′ should be swapped, the correct command is:
# /sbin/iptables -A INPUT -p tcp -i eth1 ! -s 1.2.3.4 –dport 80 -j DROP

Reply

5 Sux November 13, 2011 at 12:51 am

I meant ‘-s’ and ‘!’ :]

Reply

6 Mike May 3, 2012 at 9:42 pm

please help me i have maplestory server and someone attack my ports how do i bloc him and where do i put it in?

Reply

7 gg March 17, 2014 at 4:52 am

URGENT!! HELP!! SOMEONE HELP THIS MAN RIGHT AWAY.

Reply

8 wahyu October 5, 2012 at 11:46 am

What if I want to block some ports? such as 80, 3128 and 22, can I just do that with this line:

# /sbin/iptables -A INPUT -p tcp ! –destination-port 80 3128 22 -j DROP ?

Reply

9 Amauris October 18, 2012 at 10:27 pm

Would this be correct to block port 25 except for ip 1.2.3.4?

# /sbin/iptables -A OUTPUT -p tcp -i eth1 ! -s 1.2.3.4 –-dport 25 -j DROP

Reply

10 FAILWHALE June 2, 2013 at 9:56 am

You cant use -i with output

:/var/www/www.yomommashole.com# iptables-restore < /etc/iptables.up.rules
iptables-restore v1.4.14: Can't use -i with OUTPUT
Error occurred at line: 17

Way to go dildo.

Reply

11 Baldwin October 21, 2012 at 4:13 pm

I am still having a problem on how to configure squid to use iptables for the port redirection 3128 rather than configure the browser to do so. My children understand how to configure the browser to bypass squid blocking sites. Can anyone help me ? Here is my squid.conf and my iptables that I am using.
squid.conf -> http://pastebin.com/LtXw1ZDT
iptables script -> http://pastebin.com/iXrb1Xic
Thanks

Reply

12 Pitto March 25, 2013 at 8:46 am

Hi Baldwin!

Did you solve this?

I’m stuck in the same identical problem :/

Reply

13 mustafa October 23, 2012 at 4:26 pm

Hi,
Please help me here. When i try to block 443 port on outgoing, i get this error:

iptables v1.3.5: Can’t use -i with OUTPUT

Reply

14 Abdul Basit May 31, 2013 at 4:01 pm

iptables -A OUTPUT -p tcp –dport 443 -j DROP

Reply

15 mnenad September 22, 2013 at 2:48 pm

Recently i had problem with spammers whom were using my mail server to send spam mail. Since then i am blocking port 25 for external network, but now i can’t receive mail. My question is, is it possible to allow sending mail, using iptables, from localnetwork like 192.168.1.10/24, and to allow receiving to port 25 from anywhere?

Reply

16 marcin November 25, 2013 at 5:41 pm

I have been searching for while and I can not find a definite answer.
Will blocking IP from single port, interface and protocol v.s. blocking same IP from all ports and all interfaces make a iptables work faster?
i.e
iptables -A INPUT -i {INTERFACE} -s {IP address} -p {prot} –dport {port} -j DROP
v.s.
iptables -A INPUT -s {IP address} -j DROP

I have a large (2000+ IPs ) list to be block from my server, but when in place drop all significantly slows down the server and packets throughput.

Reply

17 TuxGamer March 4, 2014 at 11:54 am

Thank you for the tutorial :)

Reply

18 RK March 10, 2014 at 6:28 am

Hi

I have blocked port 80 and now question is how to unblock it

Reply

19 David April 8, 2014 at 10:46 am

list rules:
iptables -L

find where the rule is, and delete it:
iptables -D INPUT 1
(removes the first rule from “INPUT”)

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: