Linux Block Port With IPtables Command

How do I block port number with iptables under Linux operating systems?

Port numbers which are recognized by Internet and other network protocols, enabling the computer to interact with others. Each Linux server has a port number (see /etc/services file). For example:

  1. TCP port 80 – HTTP Server
  2. TCP port 443 – HTTPS Server
  3. TCP port 25 – Mail Server
  4. TCP port 22 – OpenSSH (remote) secure shell server
  5. TCP port 110 – POP3 (Post Office Protocol v3) server
  6. TCP port 143 – Internet Message Access Protocol (IMAP) — management of email messages
  7. TCP / UDP port 53 – Domain Name System (DNS)

Linux block Incoming Port With IPtables

The syntax is as follows to block incoming port using IPtables:

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
### interface section - use eth1 ###
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
### only drop port for given IP or Subnet ##
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP

To block port 80 (HTTP server), enter (or add to your iptables shell script):
# /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
# /sbin/service iptables save

See how to save iptables firewall rules permanently on Linux for more information.

Block Incoming Port 80 except for IP Address

# /sbin/iptables -A INPUT -p tcp -i eth1 ! -s --dport 80 -j DROP

Block Outgoing Port

The syntax is as follows:

/sbin/iptables -A OUTPUT -p tcp --dport {PORT-NUMBER-HERE} -j DROP
### interface section use eth1 ###
/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport {PORT-NUMBER-HERE} -j DROP
### only drop port for given IP or Subnet ##
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A OUTPUT -o eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP

To block outgoing port # 25, enter:
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/service iptables save

You can block port # 1234 for IP address only:
# /sbin/iptables -A OUTPUT -p tcp -d --dport 1234 -j DROP
# /sbin/service iptables save

How Do I Log Dropped Port Details?

Use the following syntax:

# Logging #
### If you would like to log dropped packets to syslog, first log it ###
/sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "PORT 80 DROP: " --log-level 7
### now drop it ###
/sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP

How Do I Block Cracker (IP: Access To UDP Port # 161?

/sbin/iptables -A INPUT -s -i eth1 -p udp -m state --state NEW -m udp --dport 161 -j DROP
# drop students subnet to port 80
/sbin/iptables -A INPUT -s -i eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j DROP

How do I view blocked ports rules?

Use the iptables command:
# /sbin/iptables -L -n -v
# /sbin/iptables -L -n -v | grep port
# /sbin/iptables -L -n -v | grep -i DROP
# /sbin/iptables -L OUTPUT -n -v
# /sbin/iptables -L INPUT -n -v

Sample outputs:

Fig.01: View blocked ports/IP

Fig.01: View blocked ports/IP

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 32 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
32 comments… add one
  • Spyros Dec 11, 2010 @ 8:51

    I was actually looking for a good iptables reference, this one seems to do the trick, thanx !

  • moinul May 8, 2011 @ 4:30

    i need ip block for internet service.

  • myne Jul 21, 2011 @ 8:20

    How to block all except one IP.

  • Sux Nov 13, 2011 @ 0:50

    The “Block Incoming Port 80 except for IP Address” section is wrong.
    The ‘-s’ and ‘1’ should be swapped, the correct command is:
    # /sbin/iptables -A INPUT -p tcp -i eth1 ! -s –dport 80 -j DROP

  • Sux Nov 13, 2011 @ 0:51

    I meant ‘-s’ and ‘!’ :]

  • Mike May 3, 2012 @ 21:42

    please help me i have maplestory server and someone attack my ports how do i bloc him and where do i put it in?

    • gg Mar 17, 2014 @ 4:52


  • wahyu Oct 5, 2012 @ 11:46

    What if I want to block some ports? such as 80, 3128 and 22, can I just do that with this line:

    # /sbin/iptables -A INPUT -p tcp ! –destination-port 80 3128 22 -j DROP ?

  • Amauris Oct 18, 2012 @ 22:27

    Would this be correct to block port 25 except for ip

    # /sbin/iptables -A OUTPUT -p tcp -i eth1 ! -s –-dport 25 -j DROP

    • FAILWHALE Jun 2, 2013 @ 9:56

      You cant use -i with output

      :/var/www/ iptables-restore < /etc/iptables.up.rules
      iptables-restore v1.4.14: Can't use -i with OUTPUT
      Error occurred at line: 17

      Way to go dildo.

  • Baldwin Oct 21, 2012 @ 16:13

    I am still having a problem on how to configure squid to use iptables for the port redirection 3128 rather than configure the browser to do so. My children understand how to configure the browser to bypass squid blocking sites. Can anyone help me ? Here is my squid.conf and my iptables that I am using.
    squid.conf ->
    iptables script ->

    • Pitto Mar 25, 2013 @ 8:46

      Hi Baldwin!

      Did you solve this?

      I’m stuck in the same identical problem :/

  • mustafa Oct 23, 2012 @ 16:26

    Please help me here. When i try to block 443 port on outgoing, i get this error:

    iptables v1.3.5: Can’t use -i with OUTPUT

  • Abdul Basit May 31, 2013 @ 16:01

    iptables -A OUTPUT -p tcp –dport 443 -j DROP

  • mnenad Sep 22, 2013 @ 14:48

    Recently i had problem with spammers whom were using my mail server to send spam mail. Since then i am blocking port 25 for external network, but now i can’t receive mail. My question is, is it possible to allow sending mail, using iptables, from localnetwork like, and to allow receiving to port 25 from anywhere?

  • marcin Nov 25, 2013 @ 17:41

    I have been searching for while and I can not find a definite answer.
    Will blocking IP from single port, interface and protocol v.s. blocking same IP from all ports and all interfaces make a iptables work faster?
    iptables -A INPUT -i {INTERFACE} -s {IP address} -p {prot} –dport {port} -j DROP
    iptables -A INPUT -s {IP address} -j DROP

    I have a large (2000+ IPs ) list to be block from my server, but when in place drop all significantly slows down the server and packets throughput.

  • TuxGamer Mar 4, 2014 @ 11:54

    Thank you for the tutorial :)

  • RK Mar 10, 2014 @ 6:28


    I have blocked port 80 and now question is how to unblock it

    • David Apr 8, 2014 @ 10:46

      list rules:
      iptables -L

      find where the rule is, and delete it:
      iptables -D INPUT 1
      (removes the first rule from “INPUT”)

  • Serge May 12, 2014 @ 13:38

    Use -d not -s for outgoing connection!!

    • mian May 29, 2014 @ 16:41

      I’m trying to block all ports except 80 and 443 to one specific host.For instance i have 10 hosts that should access a server on which i will enable iptables. Now 9 hosts should be able to access all the ports but one host should only be able to access port 80 and 443 and all others should be dropped.How can that be done ?

  • Slim Jun 16, 2014 @ 9:46

    Hi guys,

    How to block all ports, except one or two specify ports

  • mike Jun 19, 2014 @ 7:30

    very nice work !

  • A.Lakshmana Shiva` Mar 18, 2015 @ 8:41

    I am having one doubt in Iptable.I need to block the SSH port in the IPtables at centos 6.5 at minimal mode.I also need to check whether it is working after blocking the port.How to do this?When I try to take the centos machine in Putty the machine in the Centos should not be logged.How to do this?

  • Bv57 Jun 15, 2015 @ 20:29

    Can any one tell me how to block a source port

  • bhanu Feb 27, 2016 @ 6:59

    what was the command to block all the ports except one port

  • CrashM Aug 24, 2016 @ 10:25

    For output rules -i should be -o

  • Ranjith Kumar Oct 10, 2016 @ 9:20

    How to block/unblock all port connections to specific ip in linux? Any iptables commands? sudo iptables -A INPUT -j DROP this command blocks all connections in the system which it runs. I want to give specific ip to this command to block

  • Khedir Qassim Oct 29, 2020 @ 21:06

    Configure an iptables firewall to allow a webserver running on port 8888 on the host machine to be only accessible from another machine on the network with the following IP address The IP address of the host is Consider the firewall to be its default state initially. Your firewall configuration should only expose the ports and protocols necessary for the task. List all commands necessary to accomplish this task.

  • Pascal Suter Nov 26, 2020 @ 8:10

    there is a mistake in your example on how to except an ip from the rule: the ! should be before the -s, so the correct syntax would be:
    # /sbin/iptables -A INPUT -p tcp -i eth1 ! -s --dport 80 -j DROP

    but thanks for the great cheat-sheet!

    • 🐧 Vivek Gite Nov 26, 2020 @ 10:20

      The page has been updated. I appreciate your feedback.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum