Linux Iptables block all network traffic

You would like to block all network traffic using iptables firewall under Debian GNU/Linux. This will block all incoming and outgoing traffic including Internet aka ADSL/ppp0 and it is highly recommend. The logic is block everything and allow only required traffic. This can be done with four simple commands:

# iptable -F
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

Please do not enter above command over remote ssh login session.

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • joe Feb 19, 2012 @ 16:43

    iptables -A INPUT -s -j ACCEPT
    accepts all input from subnets,, and
    iptables -A OUTPUT -d -j ACCEPT
    accepts all output from subnets,, and
    you never reach your drop rules

  • Alan Smith Apr 16, 2011 @ 15:09


    Not sure if you have got any further with this I’m looking for the same sort solution as my Trixbox was hacked even though I ‘thought’ it was quite secure. I would say that you ought to consider blocking all ports from all IP’s that you do not know, not just the SIP ones.


  • james Jan 27, 2011 @ 12:56

    Hi All,

    I am very new to iptables and new to linux even. I am trying to allow all connections to my eth1 (public interface) except for the traffic coming in and out from udp ports 5060 until 5080 which should be only allowed for specific IP addresses. Here’s my config below:

    iptables –flush
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -s -j ACCEPT
    iptables -A OUTPUT -d -j ACCEPT
    iptables -A OUTPUT -o eth1 -j ACCEPT

    ###DROP ALL 5060-5080 ports
    #iptables -A INPUT -p udp –dport 5050:5080 -j DROP
    #iptables -A INPUT -p udp –dport 5050:5080 -j DROP

    iptables -A INPUT -p udp -s A.B.C.D –dport 5050:5080 -j ACCEPT
    iptables -A INPUT -p udp -s E.F.G.H –dport 5050:5080 -j ACCEPT
    iptables -A INPUT -p udp -s I.J.K.L –dport 5050:5080 -j ACCEPT

    I tested it but I can still connect to that server using the 5061 port using other public ip which is not declared to be allowed.

    Help Please…..


  • Pieter Van Gorp Jan 17, 2010 @ 20:11

    Hi all,
    thanks for your input. Unfortunately I don’t know how to extend these commands for a slightly more subtle scenario: I want to prevent users to move server content to the internet (=> iptables -P OUTPUT DROP on that server) but I do want to enable them to move content to the server (e.g., read e-mail, download attachments, …)

    It seems that for general web browsing you do need output traffic (I guess just sending your request string??) but I was hoping that iptables could distinguish between control commands (e.g. sending a HTTP get from the machine to the internet) and actual file transfers from the machine to the internet…

    Is my hope in vain or is there a solution?

    Best regards and thanks in advance,

  • terry Mar 23, 2009 @ 0:47

    Can someone help me to figure out how to use iptables to block all traffic from an IP address, I am not sure what the command would be.

  • paul Mar 14, 2009 @ 21:52

    “Please do not enter above command over remote ssh login session.”
    Haha hillarious 😀

  • AndresVia Dec 27, 2008 @ 0:16

    @Thomas, a “-j ACCEPT” at the end of the commands is needed.

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

  • Liju Jul 4, 2008 @ 15:22


    It’s better to disable the the network service than using such firewall

  • Thomas May 13, 2008 @ 9:17

    Blocking really _ALL_ traffic can cause undesired effects. In fact quite a few applications use the internal loopback interface for internal communication. So the following two rules should be added to allow this:

    iptables -A INPUT -i lo
    iptables -A OUTPUT -o lo

    which allow all traffic via the loopback interface. This should be perfectly safe, even in a hostile environment since all external traffic is still blocked.

  • alireza sadeh seighalan Mar 24, 2008 @ 9:17

    how can i use this order in fedora core?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @