Iptables Block IP

Iptables Block IP

Today we’ll show you how to block ip address using iptables. In the following article we are adding a blacklist to the firewall script which will allow you to block any abusive IP addresses or ranges of IPs in your Debian or Ubuntu based virtual server. Iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Blocking an IP address using iptables is fairly easy task and it should take no more then 5 minutes.

Before proceeding any further, make sure you read the tutorial on how to secure/design the firewall in your linux vps. This includes:

  • Flushing the old firewall rules
  • Determining service ports
  • Setting-up default policies
  • Setting-up your firewall rules
  • Saving your firewall rules

Block IP Using iptables

To block some abusive IP address or range of IPs, you can use the following iptables rules:

## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP

Creating the Blacklist in iptables

For better readability and maintenance, it is a good idea to have all abusing IPs in one particular file, for example /etc/blacklist.ips. This way, you can add the IP addresses or subnets in this file (one IP or subnet per line) and use the fwall-rules script below to block anything listed in this file.

So, create or edit /usr/local/bin/fwall-rules and make it as follows:

#!/bin/bash
#
# iptables firewall script
# https://www.rosehosting.com
#

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing ssh on port 5622"
${IPTABLES} -A INPUT -p tcp --dport 5622  -m state --state NEW -j ACCEPT

echo " * allowing ftp on port 21"
${IPTABLES} -A INPUT -p tcp --dport 21  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

echo " * allowing pop3s on port 995"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

echo " * allowing imap on port 143"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

echo " * allowing pop3 on port 110"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Block abusing IPs 
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}")
fi

#
# Save settings
#
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules

make sure the script is executable by adding an ‘x’ bit to it:

## chmod +x /usr/local/bin/fwall-rules

Applying the Rules

To apply the firewall rules and block the abusers, you need to just execute the fwall-rules script and that’s it.

## fwall-rules
 * flushing old rules
 * setting default policies
 * allowing loopback devices
 * allowing ssh on port 5622
 * allowing ftp on port 21
 * allowing dns on port 53 udp
 * allowing dns on port 53 tcp
 * allowing http on port 80
 * allowing https on port 443
 * allowing smtp on port 25
 * allowing submission on port 587
 * allowing imaps on port 993
 * allowing pop3s on port 995
 * allowing imap on port 143
 * allowing pop3 on port 110
 * allowing ping responses
 * BLOCKING ABUSIVE IPs
 * SAVING RULES

Block IP with iptablesOf course you don’t have to block IP addresses using iptables, if you use one of our Linux VPS hosting services, in which case you can simply ask our expert linux admins to block any IP address for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to block IP addresses using iptables, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thank you.

4 thoughts on “Iptables Block IP”

  1. If you have many blocked IP addresses adding them directly in the chain is not a very good idea. This can require quite a lot of CPU to match incoming packets to a couple of 1000’s blocked IP addresses. A better way is to use “ipset”. Create a set of IP addresses and add a rule that matches against that set.

    This is magnitudes faster and can easily handle 10,000’s of blocked IP addresses with no noticable CPU degradation
    This allows you to use existing blacklists (which have 10,000’s entries) for your server. For example from ipdeny . com

    For example:

    # Create a new map
    sudo ipset -n my-blacklist hash:net

    # Add ip addresses to the set
    # In reality this will be a loop to read blacklists from a file
    ipset -a my-blacklist 43.255.0.0/16
    ipset -a my-blacklist 218.87.0.0/16
    ……….
    ……….

    # Add rule to drop all packages in the blacklist
    sudo iptables -A INPUT -p tcp -m set –match-set my-blacklist src -j DROP

    Reply
  2. Johan, thank you for your suggestion on ipset.

    I would like to block the IP address by country. I download the free list from https://www.ip2location.com/free/visitor-blocker

    Can I know how can I do it using ipset?

    Reply
    • You can download the file (CDIR output format) and add all IPs to the blacklist:

      while read IP; do
          ipset add my-blacklist $IP
      done < CDIR_FILE_NAME.txt
      
      Reply

Leave a Comment