Linux Iptables Block Outgoing Access To Selected or Specific IP Address / Port

by on June 26, 2005 · 24 comments· LAST UPDATED October 18, 2013

in , ,

You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.

Block Access To Outgoing IP Address

The following rule will block ip address 202.54.1.22 from making any outgoing connection:
iptables -A OUTPUT -d 202.54.1.22 -j DROP

The above will block chat server ip address or site having dangerous contains such as viruses or malware.

Block Access To Outgoing IP TCP / UDP Port Number

To block specific port number such tcp port # 5050, enter:
iptables -A OUTPUT -p tcp --dport 5050 -j DROP

To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:
iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 5050 -j DROP

Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter:
# /sbin/service iptables save
OR
# /etc/init.d/iptables save

For more information see Linux iptables(8) man page or our Linux firewall tutorials from the following resources:

  1. CentOS / Redhat Iptables Firewall Configuration Tutorial
  2. Linux Configure Firewall Using Shorewall Under RHEL / CentOS
  3. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 24 comments… read them below or add one }

1 thon August 8, 2007 at 10:15 am

IPTABLES. I just want to know how to block a certain IP address or network to access a specific server. lets say the host/ip 192.168.1.2 will be block/denied access to server/ip 192.168.1.10

thanks

Reply

2 Jes October 17, 2007 at 2:35 am

Not one freaking person on the whole internet has an example of how to use iptables to stop one single machine from being able to access one single IP address.

Reply

3 Sayajin January 29, 2014 at 12:56 pm

iptables -A INPUT -s 192.168.0.42 -d 202.54.1.22 -j DROP

Reply

4 nixCraft October 17, 2007 at 5:39 am

Jes,

Drop single system 202.54.1.22:

iptables -A INPUT -d 202.54.1.22 -j DROP

Try following urls for more …
How do I Drop or block attackers IP with null routes?
Linux Iptables block incoming access to selected or specific ip address

HTH

Reply

5 k December 10, 2007 at 6:50 pm

Hi, Can anyone help?
How do I block the outgoing traffic from x IP address to y IP address, but allow the incoming traffic from y to x? For some reason when I accept input and then do output drop it doesn’t allow inputs. Additionally, I did:
/sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
But can’t ping x from y and vice versa. Please help.
Thank you,
k.

Reply

6 Prince September 9, 2008 at 9:36 am

Hi guys, Need help!!!!
Running red Hat Linux 7.1 2.96-98 and need to block a group of users using usernem from accessing internet. Limit the same users to have access between 1300 – 1400 hrs and 1600 – 1700 hrs. I’m using Linux as the proxy server. i’ve tried iptables -A OUTPUT -p TCP -m owner –uid-owner prince -j DROP, but this owner and –uid-owner are not recognised
Thank you

Reply

7 nixCraft September 9, 2008 at 10:53 am

You need to get Latest version RHEL 5.x or CentOS 5.x. Your distro is outdated and no longer supported.

Reply

8 Jose October 29, 2008 at 9:08 pm

Good article, very useful for me
Tks a lot
JC

Reply

9 vinni November 17, 2008 at 4:47 pm

Thanks for the info dear .. Put some more info regd the bandwidth management

Reply

10 Murali December 30, 2009 at 1:48 pm

Hi Friends,

Iam using Fedora6.0 with squid server but clients accessing internet and mails in below iptable coniguration now i want to block internet for particular ip’s range (Ex: 192.168.1.10 to 192.168.1.50) and toplevel peoples wants full internet access (Ex: 192.168.1.51 to 192.168.1.55) please need some help

Note : Already blocked some sites for all (192.168.1.0/255.255.255.0) but 5 people wants full access how to configure my iptables pls helpme

****************PRESENT IPTABLE CONFIGURATION***********************

# Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
*nat
:PREROUTING ACCEPT [21:3311]
:POSTROUTING ACCEPT [1:241]
:OUTPUT ACCEPT [1:241]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Dec 29 11:20:21 2009
# Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
*filter
:INPUT ACCEPT [3822:1594474]
:FORWARD ACCEPT [115:7616]
:OUTPUT ACCEPT [2702:1165159]
-A FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT
# Completed on Tue Dec 29 11:20:21 2009

Reply

11 Nerigal May 12, 2010 at 1:53 pm

is it possible to blacklist (ban from all) a source IP that would it a specific port of your choice ?

a kind of trape…

Reply

12 rakesh July 14, 2010 at 9:27 am

hi, i am newbie in linux, I am using Fedora 6.0 with squid server
i want to block gmail to specific subnet , how can i do it ?

Reply

13 sen3ca April 13, 2011 at 8:29 pm

nice, concise, and exactly what I was looking for. Thanks

Reply

14 imrankhan April 26, 2011 at 5:43 am

sir,
I am using Fedora 13 iptables i was blocking some websites. but selected user i have access perticuler websites.
plz find the some other commands.

Reply

15 rana May 10, 2011 at 9:41 am

sir,
I want to block a website from my linux server using iptables command for a local computer

Reply

16 Avin October 5, 2011 at 4:26 am

How to block Gmail using iptables ? I am using CentOS 5.7.

Reply

17 Dean Kamali April 19, 2012 at 4:28 pm

There should be –dport not -dport otherwise you will get

iptables v1.3.5: multiple -d flags not allowed
Try `iptables -h’ or ‘iptables –help’ for more information.

the correct syntax is
iptables -A OUTPUT -p tcp –dport 5050 -j DROP

Reply

18 Helpful Guy March 6, 2013 at 9:18 am

There should be ‘–dport’ not ‘-dport’ (double dash).

Reply

19 Ahmad June 23, 2013 at 1:14 am

Dean Kamali, thank you very much. I spent a long time trying to figure out what was wrong until I saw your comment.

To clarify, dport has to have two dashes before it.

Reply

20 Aravindan August 27, 2013 at 12:38 pm

Hi,

Your Tuts are simply superb.
Please let me know the difference between using DROP and REJECT options .

Reply

21 vikas September 20, 2013 at 5:00 pm

Hi,
Can anyone suggest me for blocking the internet access through fedora DHCP only allowing intranet access.some user also access the internet through USB dongle while at the same time they connect to the intranet i want to block there internet access when they are in network..It is a small enterprise network currently running on windows 2008 server and using the fedora for DHCP and FTP services…pls help…..

Reply

22 Muhammad Faisal Jamil February 12, 2014 at 9:03 am

hi guys, i want to allow one service which is published on live ip address with specific port like x.x.x.x:5768 through squid.
currently i am using RHEL 6.x and only specific sites are allowed through url_regix rule. so how can i implement this acl to allow only one web service on specific port.

Thanks

Reply

23 Mohsin khan March 17, 2014 at 4:15 pm

Hi All,

i want to block port 1202 & 22 for all the IP and only want to allow any specific Ip ex.1.2.3.4 in cent 5.9 64bit

Please help me to shortcut it.

Waiting for your reply.

Reply

24 Aravindan R March 18, 2014 at 9:44 am

Hi Mohsin,

Step 1 :

iptables -I INPUT -p tcp --dport 1202,22 -s 1.2.3.4 -j ACCEPT

Step 2:

iptables -A INPUT -p tcp --dport 1202,22 -j REJECT

iptables save and restart

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous post:

Next post: