Blocking Abusive IP Addresses with Iptables on Linux

Blocking Abusive IP Addresses with Iptables on Linux

I’ve recently had some questions come up from some of my clients who want to know how they can block specific IP addresses that are abusing their web sites and server. In those instances where you want to block a particular IP from your server and are running a distrubtion of Linux, you can block the traffic from that IP address by using iptables. This tutorial will teach you how to set up, view, and configure a rule to block a specific IP address.

What Is Iptables?

Iptables is a firewall, installed by default on most Linux distributions. By default iptables allows all traffic to pass through to your server, but you can configure it to restrict or drop traffic through a variety of rules that can be setup to limit who and what can actually connect to your server.

To access and use iptables, you’ll need root access, either by using sudo or having direct access to the root user of the server you’re working with. The iptables commands shown below assume you have direct access to the root user on the server, if not you’ll need to prefix them with the sudo command.

How to Set up a Rule to Block a Specific IP Address

The specific case being discussed in this article to the desire to simply stop any all all traffic originating from a specific IP address by simply dropping the inbound connection and not allowing it to proceed further.

The syntax to add a simple rule to iptables to block a specific IP address and drop its connection to the server is:

iptables -A INPUT -s {IP_ADDRESS} -j DROP

Looking at this command, there are a few flags that I think are important for you to know.

The -A flag followed by the INPUT chain indicates that the rule to is to be appended to the INPUT rule chain. We will only deal with the INPUT chain in this tutorial, as it is designed to affect only incoming traffic.

The -s flag followed by the IP address specifies the source of the traffic to be acted upon. It will apply any rules you define to any traffic coming from this source.

The -j flag followed by the DROP rule will cause the firewall to silently ignore the packet, and stop processing further rules in the specified chain.

So if we look at the command above, we’ve indicated that we want to append a new rule to the INPUT chain, and all traffic originating from the specified IP address will be silently ignored and dropped without further processing.

How Do I Unblock an IP Address?

In the event that you make a mistake and entered the wrong IP address, how do you remove that IP address so that traffic may flow freely from that IP address once again?

iptables -D INPUT -s {IP_ADDRESS} -j DROP

The new flag shown in this command is -D followed by the INPUT chain to indicate that we want the rule defined to be removed from the iptables entries.

How Do I View Currently Setup Iptables Rules?

To view currently setup rules, and confirm the rules you have entered you can execute the iptables command with the -L flag. This will list the current filter rules.

iptables -L

The output from this command will be similar to the following output shown below. You’ll see all possible chains, and your new rules will appear under the INPUT chain.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  {IP_ADDRESS}         anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Your New Iptables Rules Setup and Configured

The rules you’ve setup will take effect immediately, and in the case of the rules we’ve defined above you’ll start seeing that traffic from the IP address specified in the rule will instantly stop and will not be allowed to interact with your server.

Author: daharveyjr

I’m a solution architect responsible for the design, development, implementation, testing, and maintenance of e-commerce operations and applications using the Hybris and WebSphere Commerce product suites and other web technologies such as Java, J2EE/JEE, Spring, PHP, WordPress and more. Twitter | Facebook | Google+ | LinkedIn

3 thoughts on “Blocking Abusive IP Addresses with Iptables on Linux

  1. Will Rubin Reply

    Why is Iptables better or worse than doing the equivalent with a hosts file?

    • daharveyjr Post authorReply

      Will, In short, as I understand it, iptables works inside the Linux kernel with the network stack to inspect and apply rules to any and all network traffic passing through the server. On the other hand, the hosts files (hosts.allow and hosts.deny) are wrappers, which rely on application specific use for them to be interpreted and work correctly. I do know that iptables gives you a lot more options with the inspection and matching of traffic and how you truly want handle that traffic. That being said, while you can configure both to accomplish the same thing I prefer using iptables as it doesn’t allow traffic to pass further than is strictly necessary on the server.

  2. Will Rubin Reply

    Excellent response. Makes iptables the better choice for me. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *