How do I block port number with iptables under Linux operating systems?
Port numbers which are recognized by Internet and other network protocols, enabling the computer to interact with others. Each Linux server has a port number (see /etc/services file). For example:
- TCP port 80 - HTTP Server
- TCP port 443 - HTTPS Server
- TCP port 25 - Mail Server
- TCP port 22 - OpenSSH (remote) secure shell server
- TCP port 110 - POP3 (Post Office Protocol v3) server
- TCP port 143 - Internet Message Access Protocol (IMAP) — management of email messages
- TCP / UDP port 53 - Domain Name System (DNS)
Block Incoming Port
The syntax is as follows to block incoming port using IPtables:
/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP ### interface section use eth1 ### /sbin/iptables -A INPUT -i eth1 -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP ### only drop port for given IP or Subnet ## /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
To block port 80 (HTTP server), enter (or add to your iptables shell script):
# /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
# /sbin/service iptables save
Block Incomming Port 80 except for IP Address 1.2.3.4
# /sbin/iptables -A INPUT -p tcp -i eth1 -s ! 1.2.3.4 --dport 80 -j DROP
Block Outgoing Port
The syntax is as follows:
/sbin/iptables -A OUTPUT -p tcp --dport {PORT-NUMBER-HERE} -j DROP ### interface section use eth1 ### /sbin/iptables -A OUTPUT -i eth1 -p tcp --dport {PORT-NUMBER-HERE} -j DROP ### only drop port for given IP or Subnet ## /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
To block outgoing port # 25, enter:
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/service iptables save
You can block port # 1234 for IP address 192.168.1.2 only:
# /sbin/iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 1234 -j DROP
# /sbin/service iptables save
How Do I Log Dropped Port Details?
Use the following syntax:
# Logging # ### If you would like to log dropped packets to syslog, first log it ### /sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "PORT 80 DROP: " --log-level 7 ### now drop it ### /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
How Do I Block Cracker (IP: 123.1.2.3) Access To UDP Port # 161?
/sbin/iptables -A INPUT -s 123.1.2.3 -i eth1 -p udp -m state --state NEW -m udp --dport 161 -j DROP # drop students 192.168.1.0/24 subnet to port 80 /sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 11 comments… read them below or add one }
I was actually looking for a good iptables reference, this one seems to do the trick, thanx !
i need ip block for internet service.
How to block all except one IP.
The “Block Incoming Port 80 except for IP Address 1.2.3.4″ section is wrong.
The ‘-s’ and ’1′ should be swapped, the correct command is:
# /sbin/iptables -A INPUT -p tcp -i eth1 ! -s 1.2.3.4 –dport 80 -j DROP
I meant ‘-s’ and ‘!’ :]
please help me i have maplestory server and someone attack my ports how do i bloc him and where do i put it in?
What if I want to block some ports? such as 80, 3128 and 22, can I just do that with this line:
# /sbin/iptables -A INPUT -p tcp ! –destination-port 80 3128 22 -j DROP ?
Would this be correct to block port 25 except for ip 1.2.3.4?
# /sbin/iptables -A OUTPUT -p tcp -i eth1 ! -s 1.2.3.4 –-dport 25 -j DROP
I am still having a problem on how to configure squid to use iptables for the port redirection 3128 rather than configure the browser to do so. My children understand how to configure the browser to bypass squid blocking sites. Can anyone help me ? Here is my squid.conf and my iptables that I am using.
squid.conf -> http://pastebin.com/LtXw1ZDT
iptables script -> http://pastebin.com/iXrb1Xic
Thanks
Hi Baldwin!
Did you solve this?
I’m stuck in the same identical problem :/
Hi,
Please help me here. When i try to block 443 port on outgoing, i get this error:
iptables v1.3.5: Can’t use -i with OUTPUT