You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.
Block Access To Outgoing IP Address
The following rule will block ip address 202.54.1.22 from making any outgoing connection:
iptables -A OUTPUT -d 202.54.1.22 -j DROP
The above will block chat server ip address or site having dangerous contains such as viruses or malware.
Block Access To Outgoing IP TCP / UDP Port Number
It is also possible to block specific port numbers. For example, you can block tcp port # 5050 as follows:
iptables -A OUTPUT -p tcp –dport 5050 -j DROP
To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:
iptables -A OUTPUT -p tcp -d 192.168.1.2 –dport 5050 -j DROP
Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter:
# /sbin/service iptables save
OR
# /etc/init.d/iptables save
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 16 comments… read them below or add one }
IPTABLES. I just want to know how to block a certain IP address or network to access a specific server. lets say the host/ip 192.168.1.2 will be block/denied access to server/ip 192.168.1.10
thanks
Not one freaking person on the whole internet has an example of how to use iptables to stop one single machine from being able to access one single IP address.
Jes,
Drop single system 202.54.1.22:
Try following urls for more …
How do I Drop or block attackers IP with null routes?
Linux Iptables block incoming access to selected or specific ip address
HTH
Hi, Can anyone help?
How do I block the outgoing traffic from x IP address to y IP address, but allow the incoming traffic from y to x? For some reason when I accept input and then do output drop it doesn’t allow inputs. Additionally, I did:
/sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
But can’t ping x from y and vice versa. Please help.
Thank you,
k.
Hi guys, Need help!!!!
Running red Hat Linux 7.1 2.96-98 and need to block a group of users using usernem from accessing internet. Limit the same users to have access between 1300 – 1400 hrs and 1600 – 1700 hrs. I’m using Linux as the proxy server. i’ve tried iptables -A OUTPUT -p TCP -m owner –uid-owner prince -j DROP, but this owner and –uid-owner are not recognised
Thank you
You need to get Latest version RHEL 5.x or CentOS 5.x. Your distro is outdated and no longer supported.
Good article, very useful for me
Tks a lot
JC
Thanks for the info dear .. Put some more info regd the bandwidth management
Hi Friends,
Iam using Fedora6.0 with squid server but clients accessing internet and mails in below iptable coniguration now i want to block internet for particular ip’s range (Ex: 192.168.1.10 to 192.168.1.50) and toplevel peoples wants full internet access (Ex: 192.168.1.51 to 192.168.1.55) please need some help
Note : Already blocked some sites for all (192.168.1.0/255.255.255.0) but 5 people wants full access how to configure my iptables pls helpme
****************PRESENT IPTABLE CONFIGURATION***********************
# Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
*nat
:PREROUTING ACCEPT [21:3311]
:POSTROUTING ACCEPT [1:241]
:OUTPUT ACCEPT [1:241]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Dec 29 11:20:21 2009
# Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
*filter
:INPUT ACCEPT [3822:1594474]
:FORWARD ACCEPT [115:7616]
:OUTPUT ACCEPT [2702:1165159]
-A FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT
# Completed on Tue Dec 29 11:20:21 2009
is it possible to blacklist (ban from all) a source IP that would it a specific port of your choice ?
a kind of trape…
hi, i am newbie in linux, I am using Fedora 6.0 with squid server
i want to block gmail to specific subnet , how can i do it ?
nice, concise, and exactly what I was looking for. Thanks
sir,
I am using Fedora 13 iptables i was blocking some websites. but selected user i have access perticuler websites.
plz find the some other commands.
sir,
I want to block a website from my linux server using iptables command for a local computer
How to block Gmail using iptables ? I am using CentOS 5.7.
There should be –dport not -dport otherwise you will get
iptables v1.3.5: multiple -d flags not allowed
Try `iptables -h’ or ‘iptables –help’ for more information.
the correct syntax is
iptables -A OUTPUT -p tcp –dport 5050 -j DROP