You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.

Block Access To Outgoing IP Address

The following rule will block ip address from making any outgoing connection:
iptables -A OUTPUT -d -j DROP

The above will block chat server ip address or site having dangerous contains such as viruses or malware.

Block Access To Outgoing IP TCP / UDP Port Number

To block specific port number such tcp port # 5050, enter:
iptables -A OUTPUT -p tcp --dport 5050 -j DROP

To block tcp port # 5050 for an IP address only, enter:
iptables -A OUTPUT -p tcp -d --dport 5050 -j DROP

Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter:
# /sbin/service iptables save
# /etc/init.d/iptables save

For more information see Linux iptables(8) man page or our Linux firewall tutorials from the following resources:

  1. CentOS / Redhat Iptables Firewall Configuration Tutorial
  2. Linux Configure Firewall Using Shorewall Under RHEL / CentOS
  3. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 30 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
30 comments… add one
  • thon Aug 8, 2007 @ 10:15

    IPTABLES. I just want to know how to block a certain IP address or network to access a specific server. lets say the host/ip will be block/denied access to server/ip


  • Jes Oct 17, 2007 @ 2:35

    Not one freaking person on the whole internet has an example of how to use iptables to stop one single machine from being able to access one single IP address.

    • Sayajin Jan 29, 2014 @ 12:56

      iptables -A INPUT -s -d -j DROP

  • 🐧 nixCraft Oct 17, 2007 @ 5:39


    Drop single system

    iptables -A INPUT -d -j DROP

    Try following urls for more …
    How do I Drop or block attackers IP with null routes?
    Linux Iptables block incoming access to selected or specific ip address


  • k Dec 10, 2007 @ 18:50

    Hi, Can anyone help?
    How do I block the outgoing traffic from x IP address to y IP address, but allow the incoming traffic from y to x? For some reason when I accept input and then do output drop it doesn’t allow inputs. Additionally, I did:
    /sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
    /sbin/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
    But can’t ping x from y and vice versa. Please help.
    Thank you,

    • Cody Jul 26, 2014 @ 12:07

      This is old but whatever, for those who don’t know:

      For dropping OUTPUT and accepting certain connections (by port or whatever):
      You need to use either state module (or preferably nowadays, conntrack with ctstate) to allow ESTABLISHED,RELATED
      And yes this applies to non tcp because:
      The packet is associated with a connection which has seen packets in both directions.
      The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

      For ping, you’ll need to allow OUTPUT icmp traffic if you’re setting the policy to DROP. That is: the proper icmp types. You’re better of rate limiting though (fragmented packets are generally nowadays an indication of malicious activity but that’s another story entirely).
      You should also allow ESTABLISHED,RELATED for INPUT as well (think about what I pasted above, as to why that is: if you don’t then a connection-oriented protocol e.g., one that uses TCP, will have issues.. keep in mind it might not be that someone is connecting to your server but YOUR server initiates the connection = output and then the remote host responds but if you don’t allow related then you’ll run in to trouble. Keep in mind outgoing connection requests and how/what they do, ports included as well as what type of connection, when you’re thinking about this).

      • Curl Feb 15, 2015 @ 20:42

        Your answer came a long time after but, hey, thanks! It gave me some enlightment.

        • Cody Mar 1, 2015 @ 3:05

          Welcome! Hope it answered your question(s) (or if it wasn’t you – since different name – I hope that it was helpful or useful in any case).

  • Prince Sep 9, 2008 @ 9:36

    Hi guys, Need help!!!!
    Running red Hat Linux 7.1 2.96-98 and need to block a group of users using usernem from accessing internet. Limit the same users to have access between 1300 – 1400 hrs and 1600 – 1700 hrs. I’m using Linux as the proxy server. i’ve tried iptables -A OUTPUT -p TCP -m owner –uid-owner prince -j DROP, but this owner and –uid-owner are not recognised
    Thank you

  • 🐧 nixCraft Sep 9, 2008 @ 10:53

    You need to get Latest version RHEL 5.x or CentOS 5.x. Your distro is outdated and no longer supported.

  • Jose Oct 29, 2008 @ 21:08

    Good article, very useful for me
    Tks a lot

  • vinni Nov 17, 2008 @ 16:47

    Thanks for the info dear .. Put some more info regd the bandwidth management

  • Murali Dec 30, 2009 @ 13:48

    Hi Friends,

    Iam using Fedora6.0 with squid server but clients accessing internet and mails in below iptable coniguration now i want to block internet for particular ip’s range (Ex: to and toplevel peoples wants full internet access (Ex: to please need some help

    Note : Already blocked some sites for all ( but 5 people wants full access how to configure my iptables pls helpme

    ****************PRESENT IPTABLE CONFIGURATION***********************

    # Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
    :PREROUTING ACCEPT [21:3311]
    :OUTPUT ACCEPT [1:241]
    # Completed on Tue Dec 29 11:20:21 2009
    # Generated by iptables-save v1.3.5 on Tue Dec 29 11:20:21 2009
    :INPUT ACCEPT [3822:1594474]
    :FORWARD ACCEPT [115:7616]
    :OUTPUT ACCEPT [2702:1165159]
    -A FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -j ACCEPT
    # Completed on Tue Dec 29 11:20:21 2009

  • Nerigal May 12, 2010 @ 13:53

    is it possible to blacklist (ban from all) a source IP that would it a specific port of your choice ?

    a kind of trape…

  • rakesh Jul 14, 2010 @ 9:27

    hi, i am newbie in linux, I am using Fedora 6.0 with squid server
    i want to block gmail to specific subnet , how can i do it ?

  • sen3ca Apr 13, 2011 @ 20:29

    nice, concise, and exactly what I was looking for. Thanks

  • imrankhan Apr 26, 2011 @ 5:43

    I am using Fedora 13 iptables i was blocking some websites. but selected user i have access perticuler websites.
    plz find the some other commands.

  • rana May 10, 2011 @ 9:41

    I want to block a website from my linux server using iptables command for a local computer

  • Avin Oct 5, 2011 @ 4:26

    How to block Gmail using iptables ? I am using CentOS 5.7.

  • Dean Kamali Apr 19, 2012 @ 16:28

    There should be –dport not -dport otherwise you will get

    iptables v1.3.5: multiple -d flags not allowed
    Try `iptables -h’ or ‘iptables –help’ for more information.

    the correct syntax is
    iptables -A OUTPUT -p tcp –dport 5050 -j DROP

  • Helpful Guy Mar 6, 2013 @ 9:18

    There should be ‘–dport’ not ‘-dport’ (double dash).

  • Ahmad Jun 23, 2013 @ 1:14

    Dean Kamali, thank you very much. I spent a long time trying to figure out what was wrong until I saw your comment.

    To clarify, dport has to have two dashes before it.

  • Aravindan Aug 27, 2013 @ 12:38


    Your Tuts are simply superb.
    Please let me know the difference between using DROP and REJECT options .

  • vikas Sep 20, 2013 @ 17:00

    Can anyone suggest me for blocking the internet access through fedora DHCP only allowing intranet access.some user also access the internet through USB dongle while at the same time they connect to the intranet i want to block there internet access when they are in network..It is a small enterprise network currently running on windows 2008 server and using the fedora for DHCP and FTP services…pls help…..

  • Muhammad Faisal Jamil Feb 12, 2014 @ 9:03

    hi guys, i want to allow one service which is published on live ip address with specific port like x.x.x.x:5768 through squid.
    currently i am using RHEL 6.x and only specific sites are allowed through url_regix rule. so how can i implement this acl to allow only one web service on specific port.


  • Mohsin khan Mar 17, 2014 @ 16:15

    Hi All,

    i want to block port 1202 & 22 for all the IP and only want to allow any specific Ip ex. in cent 5.9 64bit

    Please help me to shortcut it.

    Waiting for your reply.

  • Aravindan R Mar 18, 2014 @ 9:44

    Hi Mohsin,

    Step 1 :

    iptables -I INPUT -p tcp --dport 1202,22 -s -j ACCEPT

    Step 2:

    iptables -A INPUT -p tcp --dport 1202,22 -j REJECT

    iptables save and restart

  • Idayat May 2, 2016 @ 17:27

    Your company network comprises of a number of publically accessible servers located in a DMZ and a number of hosts and a File Server located in the Internal Office Network. How you would configure the two Linux Firewalls (LF1 and LF2) using iptables program to allow the external world (INTERNET) access the services located in the DMZ, but on the other side to protect the Internal Office Network from INTERNET threats?

  • Idayat May 2, 2016 @ 17:29

    How you would configure the two Linux Firewalls (LF1 and LF2) using iptables program to allow the external world (INTERNET) access the services located in the DMZ, but on the other side to protect the Internal Office Network from INTERNET threats? The services located in the DMZ has mail server and HTTP server and on the office network there is a FTP server and 4 Computers. Thanks

  • Prabhakar Sep 27, 2016 @ 12:03

    I need to block the Internet access and LAN access to a computer with in the network using iptables.

    Could you please help me on this..

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum