How Do I Block an IP Address on My Linux server?

How do I block an IP address or subnet under Linux operating system?

In order to block an IP on your Linux server you need to use iptables tools (administration tool for IPv4 packet filtering and NAT) and netfilter firewall. First you need to log into shell as root user. To block an IP address you need to type the iptables command as follows:

Syntax to block an IP address under Linux

iptables -A INPUT -s IP-ADDRESS -j DROP

Replace IP-ADDRESS with your actual IP address. For example, if you wish to block an ip address for whatever reason then type the command as follows:
# iptables -A INPUT -s -j DROP
If you have IP tables firewall script, add the above rule to your script.

If you just want to block access to one port from an ip to port 25 then type command:
# iptables -A INPUT -s -p tcp --destination-port 25 -j DROP
The above rule will drop all packets coming from IP to port mail server port 25.

CentOS / RHEL / Fedora Block An IP And Save It To Config File

Type the following two command:
# iptables -A INPUT -s -j DROP
# service iptables save

How Do I Unblock An IP Address?

Use the following syntax (the -d options deletes the rule from table):
# iptables -D INPUT -s -j DROP
# iptables -D INPUT -s -j DROP
# service iptables save

See also:

  1. You can write a shell script to block lots of IP address and subnets.
  2. Iptables: Unblock / Delete an IP Address Listed in IPtables Tables

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 50 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
50 comments… add one
  • dewanand singh Feb 19, 2007 @ 4:10

    hi dear,

    h a u?

    i have aproblem to ristrick the wab page on client side.

    i have linux server to run internt. i make gateway on that server and use it on other system to run internet.

    her i want to on clint system only my specify wab pages is open.

    plz u can help me how i confuger it.

    my network is on workgroup


  • Rohit Basu Feb 22, 2008 @ 6:52

    Ther are two solution:

    1) the best practice you use a proxy server like suqid in the gateway machine. Then define ACL on the squid.
    say you want to deny access to and
    acl all src
    acl web_yahoo dest
    acl web_rediff dest

    http_access deny web_yahoo all
    http_access deny web_rediff all

    2) this option is throhgh iptables, assume that your gateway acts as a firewall.

    iptables -A INPUT -p tcp –destination-port 80 -d -j DROP

    it will drop any request to port 80 of yahoo from any source.

  • pradeep May 16, 2008 @ 5:02

    i want to connect internet on local pc by user from server

  • Shiva May 24, 2008 @ 7:05

    Please send me the code in Linux c to block the website typed on the browser. or send the references where i can get

  • Chris Jun 21, 2008 @ 7:19

    Hi I added:

    iptables -A INPUT -s -j DROP

    and kept checking my apache logs, after a short pause of no requests from

    it resumed ?? Could this mean I have been hacked ?

    EG: - - [21/Jun/2008:17:10:40 +1000] "GET /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////photogallery.php?album_id=1 HTTP/1.1" 200

  • 🐧 nixCraft Jun 21, 2008 @ 8:04

    You need to add iptables -A INPUT -s -j DROP to your firewall script. Once added cannot connect to your apache. Do you run any special firewall script such as apf?

  • joel Jul 31, 2008 @ 7:57

    i need an iptable rule for a website( not to go through squid(proxy).could you pls send me the iptable rule for this one?


  • S. Nilesh Jul 31, 2008 @ 12:29

    joel, i think you do it without iptables rule using squid configuration and I don’t think its possible to have such a rule. What do you say vivek ?

  • 🐧 nixCraft Jul 31, 2008 @ 12:35

    Yes, nilesh is right. It all depends upon your setup. Do you have squid proxy installed? If so there is an option to skip from squid cache using ACL. Iptables is for filtering and restricting traffic.

  • joel Aug 1, 2008 @ 1:02

    @vivek and S. Nilesh,

    yes i have a squid transparent proxy caching server and firewall in the same box.could you kindly post here the acl rules to bypass webmd from going through squid. btw im using the old 2.5 stable 6 version.thank you very much to both of you for responding to my question.


  • S. Nilesh Aug 1, 2008 @ 9:08

    joel, try this –

    acl webmd dstdomain
    always_direct webmd

    it should do it for you…

  • joel Aug 4, 2008 @ 9:09

    @ S. Nilesh,

    thank you so much.that really works!! :)

  • joel Aug 8, 2008 @ 10:39

    @ S.Nilesh and Vivek,

    hi again,

    i thought i should ask this question. how would you allow https traffic for one particular site on the network but restrict all other https traffic with an iptable rule.i have users bypassing my proxy redirector(squidguard) using https and i cannot block port 443 on my firewall because it is being used by a remote GUI application which is also being used by my users.

  • j sox Jan 8, 2009 @ 9:51

    lol dont use -A

    im not an iptables guru, but ive fought off plenty of attacks, and hack attempts, heres how chain worx k,
    # Drop
    rule 1
    rule 2
    rule 3
    end of chain default rule (drop all or accept all however)
    rule4 your new rule

    so if you use the -A which is the add option its going to add to the drop chain right,
    which will put it after an absolute depending on who or how your iptables is setup.
    after an absolute is parsed, by iptables it wont read any further into the chain, there for your add option will never work as good as the insert flag -I

    # drop

    rule4 – our new rule here
    drop all

    make sense?

  • Shibin May 12, 2009 @ 15:17

    Hi all,

    Are these IP table entries are permanent? Recently I had blocked an IP using the step mentioned above. ( i.e. iptables -A INPUT -s -j DROP ) I wanted to know, if my server reboots, does that entry can withstand the reboot or will loose upon reboot?

  • 🐧 nixCraft May 13, 2009 @ 9:36


    Noop, you need to write a shell script to keep them alive after reboot.

  • kid Aug 15, 2009 @ 20:32

    how to block all ip and allow access to only one ip?

    • Mikey Apr 2, 2011 @ 2:23

      iptables -I INPUT -s ! {IP ADDRESS} -j DROP

      The Bang character (!) basically means NOT, so the line above would say drop ALL packets NOT going to ip address

  • ecommy Dec 31, 2009 @ 10:46

    why it’s working only if I use it like that? (not iptables -A INPUT -s -j DROP)
    iptables -I INPUT -s -j DROP

  • Mouli Feb 2, 2010 @ 15:17

    Hi !!
    I have RHEL5 installed and i have tried the command #iptables -A INPUT -s -j DROP. i hv logged into root and opened terminal…..and then typed this… bt it didn’t work!! Plz tell me the actual way to run this command… i really need this very urgently…

  • Mouli Feb 2, 2010 @ 15:18

    Hi !!
    I have RHEL5 installed and i have tried the command #iptables -A INPUT -s IP ADDRESS -j DROP. i hv logged into root and opened terminal…..and then typed this… bt it didn’t work!! Plz tell me the actual way to run this command… i really need this very urgently…

  • Bappy Feb 19, 2010 @ 2:55

    Do anyone know how to block IP like that >
    202.56.***.*** that means under 202.56. all IP will be blocked.


    • Mikeapollo Sep 20, 2016 @ 22:52

      Use a mask – so to block, say, 202.101.*.* you would specify the address in CIDR format as

      Plenty of CIDR calculators on Google if you need help or just remember ranges as : = to = to = to

  • faisu Feb 24, 2010 @ 4:29


    how to setup youtube access for specific ip through acl ????

  • rohit singh Jun 16, 2010 @ 5:19

    i am not able block one particuler ip address plz suggest me

    • nacks Oct 30, 2010 @ 13:53


  • Zach Browne Aug 24, 2010 @ 9:23

    I am having some problems leaving a remark. I’ve attempted refreshing several times as well as closing and opening opera. Is anyone else having a problem on this article?

  • Mehmet Karabulut Jan 29, 2011 @ 22:05

    iptables rules explained very clearly. Thank you.

  • Aditya Mar 23, 2011 @ 21:29

    Hi Vivek
    This site is very useful and provides “to the point” information. Keep up the good work.

    Unix aficionado

  • Ben Apr 14, 2011 @ 22:59

    I tested this and blocked the ip from my phone through ip tables. It didn’t block anything i could still ssh in i could still browse the website I host on this server and connect via ftp so I went into my iptables file
    and typed this
    -A PREROUTING -s PhoneIPAddress -j DROP
    saved closed
    service restart iptables
    and then my phone had no access what so ever. Is this just a different way or am I going to run into problems by blocking ip addresses at the PREROUTING level

  • shadowtrooper May 14, 2011 @ 12:45

    i am new with IP tables stuff and i have a problem….
    i have a pc Contain a fedora OS and i want to make a small network (4 PCs Contain XP OS) and using the pc of fedora OS as a firewall
    i want to Prevent the ping (i think it called(ICMP)) in the privat network and prevent one of the PCs from Browsing internet(prevent port 80 and 81 as i think)
    and i still don’t know how to make the internet go Through the firewall to the private network…

    note: WAN = eth0
    LAN = eth1
    any one can help plz!!!!

  • Nivetha Aug 16, 2011 @ 8:28

    how can i check whether the iptables is blocked or not

  • barney stinson Sep 15, 2011 @ 9:12

    How can I block connections ONLY TO port 80 of a range of addresses?

    I do not want to create 300 single rules for.port 80. Port constraint required as must allow traffic to port 443

  • barney stinson Sep 15, 2011 @ 11:40

    Not blocking any of the addresses in the range:

    iptables -A INPUT -s -p tcp –destination-port 80 -j DROP

    iptables 1.4.10 (android)


  • ronald Sep 27, 2011 @ 7:19

    thanks for the short lesson of the command. very help full.

  • lalus Nov 16, 2011 @ 2:29

    i want my client with ip can access only not else.
    whats is the iptables command?


  • Alessio Jan 28, 2012 @ 15:16

    I have a csv file with the ip list, I can block all ip in this file?

  • Mazhar Shahzad Oct 21, 2012 @ 6:05

    I want to Block IPs
    an easy step in cpanel to block ip

  • Domtoren Aug 18, 2013 @ 6:53

    If you have other rules in your INPUT chain you do need to use the -I option to insert your block at the top of the chain.

    iptables -I INPUT -s -j DROP

    to block ip-adres

  • mohit Oct 6, 2013 @ 15:51

    hi there,
    i have an error called 705 (failure to connect web server) when i upload the website on the server .
    it bocks my ip because all other net connection open it so plz give me the better solution for that.

  • rupesh Feb 17, 2014 @ 12:23

    it working fine.
    i am able to block ip address and unblock it. fine working.

    but how to block a user ??

    as a user using same mobile and changing ip-address and able to access server.

  • Maxthon Chan Dec 18, 2014 @ 17:17

    Another way to do this is to use routing table: use a black hole route to preventing your machine from sending anything back will prevent most attacks:

    ip route add dev lo


    ip route add dev lo # block ssh hacking host

    This will block any packets from going back to and break any TCP connections. This will not prevent a SYN flood DoS though.

  • Chad T Aug 14, 2015 @ 19:33

    I have roughly 5,000 lines in my iptables blocking all of China (at least those not using a proxy or remote). Can anyone think of any performance degradation that may be had from having so many lines in the iptables?

  • Jouni "rautamiekka" Järvinen Jan 18, 2016 @ 19:20

    What if the IP isn’t blocked by iptables ? I use the same rules and my website keeps getting hundreds of thousands of pw bruteforce attempts and the iptables counter of that rule stays at zero.

  • mikeapollo Mar 23, 2016 @ 19:11

    Jouni “rautamiekka” Järvinen – Take a look at fail2ban as this may be more appropriate for you…

  • damanifesto Jul 29, 2016 @ 23:55

    Thanks for the advice. I have a very pesky chinese ip doing a brute-force or DOS attack on my machine. Now – nothing. Thanks again.

  • Stanislav Panayotov Oct 28, 2016 @ 10:27

    Im using this simple heavy duty bash script as root for some like 15 minutes and more of 30MB IP’s are blocked:


  • Dave Smith Jan 12, 2017 @ 19:07

    I get these brute force attacks a lot
    IPTables isn’t enough to stop them and neither is hosts.deny
    I blackhole the buggers by router them to
    That way their scripts hang and hang waiting for a response, but they never get one heh heh
    Example I block a specific IP:
    route add gw lo

    Or I block the entire subnet (Mostly China)
    route add -net gw lo

    I do this from Linux command line as root.
    In case you want to test it using your cell phone IP or something this is how you remove it
    route delete IPADDRESS

  • Gowri Sankar May 4, 2017 @ 19:12

    Nice and simple! Thanks a lot.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum