Over a million developers have joined DZone.

Blocking Abusive IP Addresses With Iptables on Linux

Want to remain safe and secure in Linux? Here's a guide to blocking abusive IP addresses in Linux with iptables, including an overview of what iptables actually is.

· Performance Zone

Download Forrester’s “Vendor Landscape, Application Performance Management” report that examines the evolving role of APM as a key driver of customer satisfaction and business success, brought to you in partnership with BMC.

I’ve recently had some questions come up from some of my clients who want to know how they can block specific IP addresses that are abusing their websites and server. In those instances where you want to block a particular IP from your server and are running a distribution of Linux, you can block the traffic from that IP address by using iptables. This tutorial will teach you how to set up, view, and configure a rule to block a specific IP address.

cat_linuxWhat Is Iptables?

Iptables is a firewall, installed by default on most Linux distributions. By default iptables allows all traffic to pass through to your server, but you can configure it to restrict or drop traffic through a variety of rules that can be setup to limit who and what can actually connect to your server.

To access and use iptables, you’ll need root access, either by using sudo or having direct access to the root user of the server you’re working with. The iptables commands shown below assume you have direct access to the root user on the server, if not you’ll need to prefix them with the sudo command.

How to Set up a Rule to Block a Specific IP Address

The specific case being discussed in this article to the desire to simply stop any and all traffic originating from a specific IP address by simply dropping the inbound connection and not allowing it to proceed further.

The syntax to add a simple rule to iptables to block a specific IP address and drop its connection to the server is:

iptables -A INPUT -s {IP_ADDRESS} -j DROP

Looking at this command, there are a few flags that I think are important for you to know.

The -A flag followed by the INPUT chain indicates that the rule to is to be appended to the INPUT rule chain. We will only deal with the INPUT chain in this tutorial, as it is designed to affect only incoming traffic.

The -s flag followed by the IP address specifies the source of the traffic to be acted upon. It will apply any rules you define to any traffic coming from this source.

The -j flag followed by the DROP rule will cause the firewall to silently ignore the packet, and stop processing further rules in the specified chain.

So if we look at the command above, we’ve indicated that we want to append a new rule to the INPUT chain, and all traffic originating from the specified IP address will be silently ignored and dropped without further processing.

How Do I Unblock an IP Address?

In the event that you make a mistake and entered the wrong IP address, how do you remove that IP address so that traffic may flow freely from that IP address once again?

iptables -D INPUT -s {IP_ADDRESS} -j DROP

The new flag shown in this command is -D followed by the INPUT chain to indicate that we want the rule defined to be removed from the iptables entries.

How Do I View Currently Setup Iptables Rules?

To view currently setup rules, and confirm the rules you have entered you can execute the iptables command with the -L flag. This will list the current filter rules.

iptables -L

The output from this command will be similar to the following output is shown below. You’ll see all possible chains, and your new rules will appear under the INPUT chain.

Chain INPUT (policy ACCEPT)
target prot opt source destination 
DROP all -- {IP_ADDRESS} anywhere 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 

Your New Iptables Rules Setup and Configured

The rules you’ve set up will take effect immediately, and in the case of the rules we’ve defined above you’ll start seeing that traffic from the IP address specified in the rule will instantly stop and will not be allowed to interact with your server.

See Forrester’s Report, “Vendor Landscape, Application Performance Management” to identify the right vendor to help IT deliver better service at a lower cost, brought to you in partnership with BMC.

linux config,iptables

Published at DZone with permission of Drew Harvey, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}