Iptables: Invert IP, Protocol, Or Interface Test With !

January 29, 2010January 29, 2010in Iptables last updated January 29, 2010

How do I invert a protocol or ip address test while writing iptables based shell scripts?

The iptables command comes with ! operator. The most of these rules can be preceded by a ! to invert the sense of the match. A match can be:

Source or dest ip address
Interface name
Protocol name etc

Examples

The following will match all protocol except UDP:

iptables -A INPUT -p ! UDP

The following match allows IP address range matching and it can be inverted using the ! sign:

iptables -A INPUT -d 192.168.0.0/24 -j DROP
iptables -A OUTPUT -d ! 202.54.1.2 -J ACCEPT
# we trust 202.54.1.5 so skip it
iptables -A OUTPUT -s ! 202.54.1.5 -J DROP

The exclamation mark inverts the match so this will result is a match if the IP is anything except one in the given range 192.168.1.0/24:

iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 80 -J DROP

You can skip your own ip from string test:

iptables -A FORWARD -i eth0 -p tcp ! -s 192.168.1.2 --sport 80 -m string --string '|7F|ELF' -j DROP

Accept port 22 traffic on all interfaces except for eth1 which is connected to the Internet:

iptables -A INPUT -i !eth1 -p tcp --dport 22  -j ACCEPT

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

6 comment

Zdenek Styblik says:
January 29, 2010 at 8:04 pm
Recently, iptables changed syntax in favor of prefixing, so:
iptables -A INPUT ! -s 192.168.1.0/24; << correct
iptables -A INPUT -s ! 192.168.1.0/24; << also correct, but iptables warns you this is a deprecated way to do. so it's question for how long is it going to work.
This prefixing applies for everything, not just source IP address.
Reply Report comment
nixCraft says:
January 30, 2010 at 9:06 am
Zdenek,
You may be right about syntax but most of our systems are running on RHEL 4/5 or CentOS 4/5 and it is not updated by Red Hat. I guess RHEL 6 will come with latest version.
Reply Report comment
Zdenek Styblik says:
February 2, 2010 at 5:04 pm
Ok, sorry for the post then.
Reply Report comment
Bryan says:
May 5, 2013 at 2:11 pm
Wouldn’t you know it? It’s now three years and some days later and now only the prefix ! version of syntax works (squid3). :-P
Reply Report comment

Now it’s 2015

iptables -A MYCHAIN -i !eth1 -s 10.126.24.0/24 -j DROP; iptables -L MYCHAIN -n -v

yields:

    0     0 DROP       all  --  !eth1  *       10.126.24.0/24       0.0.0.0/0

no errors but it doesn’t work

iptables -A MYCHAIN ! -i eth1 -s 10.126.24.0/24 -j DROP; iptables -L MYCHAIN -n -v

also yields:

    0     0 DROP       all  --  !eth1  *       10.126.24.0/24       0.0.0.0/0

but this time itworks!

This is a very bitchy pitfall, take care. Only if you do iptables -L -n -vv with double v, you’ll be able to see the difference between “-i !eth1” and “! -i eth1”.

Reply Report comment

Darius says:
October 9, 2015 at 2:54 pm
iptables -A INPUT -m set –set ! geoblock src -j DROP
Using intrapositioned negation (`–option ! this`) is deprecated in favor of extrapositioned (`! –option this`).
Somebody have any idea what I’m doing worng here ?
Reply Report comment

nixCraft

nixCraft

Iptables: Invert IP, Protocol, Or Interface Test With !

Examples

Recommended readings:

Posted by: Vivek Gite

Share this on:

6 comment

Leave a Comment Cancel reply