IP Blocking and iptables in Linux
As a webmaster, you’re eventually going to deal with an abusive user (or several). It’s more or less an inevitable hurdle to doing business online. Maybe they’re spamming your comments section, flooding your server with requests, or harassing your other readers. Either way, you want to get them gone before they cause you any more of a headache than they already have.
Don’t worry. Provided you understand how iptables works – and for the purpose of this piece, we’re assuming you do – it’s actually fairly easy to do.
We’ll walk you through the process, as well as a few of the commands you’re going to want to use.
Once we’re done, you’ll know how to do everything from blocking a specific address straight down to preventing Denial of Service attacks.
Sweet, right?
Let’s get started. Your first step is to log in to your web server either through your control console or through a secure connection. Make sure you’ve got root access – you’re going to need it.
IP Blocking – The Basics
The majority of the commands in this section are courtesy of nixCraft.
We’ll start with a few of the basic commands – and we’re going to keep things short and sweet here.
First off, here’s how to prevent a specific IP Address from accessing your server. Replace [IP] with the IP you actually want to block:
iptables -A INPUT -s [IP] -j DROP
Now, let’s say you only want to block a connection through a specific interface. In that case, the command will be as follows:
iptables -A INPUT -i [Interface Name] -s [IP] -j DROP
You can add a + to the end of the interface name to block any interface whose name begins with the characters you’ve entered.
If you want to block a connection on a specific port, then you’ll use the following command:
iptables -A INPUT -s 65.55.44.100 -p tcp –destination-port 25 -j DROP
If you’re looking to block a specific range of IP addresses, meanwhile; type in the following, replacing [START] and [END] with the endpoints of the range (via Chron):
iptables -A INPUT -m iprange –src-range [START]-[END] -j DROP
You can also block an entire subnet from accessing your website with
iptables -i eth1 -A INPUT -s [SUBNET ADDRESS] -j DROP
If at any time you want to view your list of blocked IP addresses, you can either use
iptables -L -v or /sbin/iptables -L INPUT -v
While viewing that list, you can delete specific entries if you so choose. Use the following commands, in order:
iptables -L INPUT -n –line-numbers
iptables -D INPUT [LINE]
iptables -L INPUT -v -n
Of course, if you know which specific entry you want to be rid of, the following syntax will work just as well:
iptables -D INPUT -s 1.2.3.4 -j DROP
Assuming you want to log dropped address information, you can also turn on kernel logging with: iptables -i eth1 -A INPUT -s [IP/SUBNET] -j LOG –log-prefix “IP DROP SPOOF A:”
Next up, you can search your blocked IP addresses with:
iptables -L INPUT -v -n | grep [IP]
Finally, in order to save the changes you’ve made to your iptables block list on CENTOS, RHEL, or Fedora, you’ll need to use the command service iptables save.
Got all that? Good. Let’s move on.
Additional Commands You Can Use To Block Traffic
The scripts above form the basic framework of IP blocking within iptables, but they aren’t exactly comprehensive. If you really want to cut yourself off from an IP address, there are a few additional commands you’ll want to make yourself aware of. They are as follows:
- -OUTPUT: Prevents TCP connections with a server, and blocks outgoing traffic. Syntax is iptables -A OUTPUT -s [IP] -j DROP
- -FORWARD: Blocks all forwarding traffic. Syntax is iptables -A FORWARD -s [IP] -j DROP
- tcp: Like Output, blocks TCP connections. Syntax is iptables -A INPUT -p tcp -s [IP] -j DROP
- icmp: Blocks port probing. Syntax is -A INPUT -p icmp -s [IP] -j DROP
Building Your iptables Block List
Now that you’ve been primed on the basics of iptables, it’s high time you set up a block list of your own, no? Courtesy of The Geek Stuff, here’s a short guide to help you do just that.
1. First, flush out all the old default rules and existing rules with the flush command: iptables -F
2. Next, change your default chain policy with the following set of commands:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
3. Set up IP blocking as you see fit using the commands in the previous section.
Now, it’s worth mentioning that there’s quite a bit more that you can do here – such as configuring HTTP connections, tweaking how your web server deals with mySQL, allowing or disallowing IMAP and IMAPS; you get the idea. Since this piece is already getting a bit long in the tooth – and we’re dealing with IP blocking here – we’re not going to be covering any of that.
Instead, let’s wrap things up here, shall we?
A Few Extra Resources
We’ll leave off today’s piece with a few awesome tips, tricks, and words of advice regarding some of the stuff you can do with iptables. First off, here’s an SSH script to help you quickly and easily block a large range of IP addresses.
And though it’s only tangentially related to IP address blocking, a reddit user did something absolutely awesome with iptables, and figured out a way to block abusive DNS queries. You can view the reddit thread (with a link to his research) here.
Last but not least, if you’re looking for a script that will automate the banning of abusive IPs, Fail2Ban is an excellent choice.
About the author
