Blocking Abusive IP Addresses With Iptables on Linux

What Is Iptables?

Iptables is a firewall, installed by default on most Linux distributions. By default iptables allows all traffic to pass through to your server, but you can configure it to restrict or drop traffic through a variety of rules that can be setup to limit who and what can actually connect to your server.

To access and use iptables, you’ll need root access, either by using sudo or having direct access to the root user of the server you’re working with. The iptables commands shown below assume you have direct access to the root user on the server, if not you’ll need to prefix them with the sudo command.

How to Set up a Rule to Block a Specific IP Address

The specific case being discussed in this article to the desire to simply stop any and all traffic originating from a specific IP address by simply dropping the inbound connection and not allowing it to proceed further.

The syntax to add a simple rule to iptables to block a specific IP address and drop its connection to the server is:

iptables -A INPUT -s {IP_ADDRESS} -j DROP

Looking at this command, there are a few flags that I think are important for you to know.

The -A flag followed by the INPUT chain indicates that the rule to is to be appended to the INPUT rule chain. We will only deal with the INPUT chain in this tutorial, as it is designed to affect only incoming traffic.

The -s flag followed by the IP address specifies the source of the traffic to be acted upon. It will apply any rules you define to any traffic coming from this source.

The -j flag followed by the DROP rule will cause the firewall to silently ignore the packet, and stop processing further rules in the specified chain.

So if we look at the command above, we’ve indicated that we want to append a new rule to the INPUT chain, and all traffic originating from the specified IP address will be silently ignored and dropped without further processing.

How Do I Unblock an IP Address?

In the event that you make a mistake and entered the wrong IP address, how do you remove that IP address so that traffic may flow freely from that IP address once again?

iptables -D INPUT -s {IP_ADDRESS} -j DROP

The new flag shown in this command is -D followed by the INPUT chain to indicate that we want the rule defined to be removed from the iptables entries.

How Do I View Currently Setup Iptables Rules?

To view currently setup rules, and confirm the rules you have entered you can execute the iptables command with the -L flag. This will list the current filter rules.

iptables -L

The output from this command will be similar to the following output is shown below. You’ll see all possible chains, and your new rules will appear under the INPUT chain.

Chain INPUT (policy ACCEPT)
target prot opt source destination 
DROP all -- {IP_ADDRESS} anywhere 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 

Your New Iptables Rules Setup and Configured

The rules you’ve set up will take effect immediately, and in the case of the rules we’ve defined above you’ll start seeing that traffic from the IP address specified in the rule will instantly stop and will not be allowed to interact with your server.