How/command to block/unblock an IP address in your Linux server – IPTables command to block/unblock an IP

We have already discussed about the IPTables basics in Linux and also some common usages of it to secure your Linux server. By using iptables you can block particular IP address or a range of IP addresses on your server to protect your server. In this way you can block IPs which are in listed on your secure log for unnecessary login attempts or something like that. That’s why, simply you can secure your server from unwanted connections.

To block an IP address from server, you need to add blocking rules to your iptables INPUT chain. The important iptables switches required to perform this actions are;

-A : Add a rule
-s : To specify the IP address
-J : Jump to target

How do I block an IP address on my server ?
You can simply block by using the above mentioned switches. See the below pasted examples;
Syntax:

iptables -A INPUT -s IP-ADD -j DROP

Example:

iptables -A INPUT -s xx.xx.xx.xx -j DROP

Where xx.xx.xx.xx is the IP address which you want to block.
Then save the newly added rules to iptables.

service iptables save

How can I block a particular PORT for a particular IP on your Linux server ?
Yes, in some situations we have to block some ports to a particular IP address. We can simply manage this from command-line using the iptables command.
Additional switches required;

-p : To specify protocol
--destination-port : to specify port

Syntax:

iptables -A INPUT -s IP-ADD -p tcp --destination-port portnumber -j DROP

Example:

iptables -A INPUT -s xx.xx.xx.xx -p tcp --destination-port 25 -j DROP

Where port 25 will be blocke for that particular IP address.

How can I unblock IP address from block-list ?
You can allow IP address by changing the target to ACCEPT(iptables -A INPUT -s IP-ADD -j ACCEPT). But, if the IP address is already blocked in your server firewall, the allowing method using “ACCEPT” as target will not work. Because, we have already added one rule for this IP to block. By-default the iptables execute rules from top to bottom. So, we need to remove that rule from INPUT chain.
Switch to remove an iptables rule:

-D : Delete a rule

Syntax:

iptables -D INPUT -s IP-ADD -j DROP

Example:

iptables -D INPUT -s xx.xxx.xx.xx -j DROP
service iptables save

Alternate method – using line number
It’s very useful if your iptables has a lot of rules. In this case we can remove that particular line by using the switch “D” after found that line number using “–line-number” switch.
IPTable command to list all rules with line number:

iptables -L -n --line-number

Example:

[email protected] [~]# iptables -L -n --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source              destination
1    acctboth   all  --  0.0.0.0/0           0.0.0.0/0
2    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
3    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
4    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
5    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
6    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
7    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0
8    DROP       all  --  xx.xx.xx.xx         0.0.0.0/0

If you want to remove the 8th line, use -D switch and specify the line number.
Example:

iptables -D INPUT 8

That’s all 🙂 🙂

 

Related topics:
1. What is iptables in Linux ?
2. How to save/backup existing iptables rules to a file
3. How to allow/block PING on Linux server – IPTables rules for icmp

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

12 Responses

  1. Giva says:

    I have two IPs in my server and for my secondary IP, I want to BlOCK all incoming port connections except MySQL.

    Could you please help?

  2. sushil pandey says:

    Hi,
    can anyone please tell me how to write a iptable blocksite rule to block (say “google.com”) for all users (ip ) expect for a single ip address.
    Pls help me out. i am using bm algorithm for string matching for block sites

  3. Uzair says:

    Dont you need to restart iptables after this?

    • Arun Lal says:

      The “service iptables save” command will add the rule to your iptable chain. Just to make sure everything works, you can restart the firewall using “service iptables restart”.

  4. Gert says:

    Nice security tip. I found another tool called fail2ban which can provide extra security. It blocks the offending IP addresses automatically.

  5. usha says:

    hello sir how to open blocked website in using ubuntu os????????

  6. nikola says:

    sir, thank you for the great info.
    I have an issue, I wanted and blocked all connection from a specific IP how ever, I have 10 users I like to let 3 of them to still have access to that specific IP that I have blocked (DROP) .
    Could you please assist me on this? Thank you in advance for your time.

  7. Humberto Zarycki says:

    Wow, this paragraph is nice, my younger sister is analyzing these kinds of things, therefore I am going to convey her.

Leave a Reply

Your email address will not be published. Required fields are marked *