Blocking IP addresses in Linux with iptables

Block IP addresses in Linux (with iptables and ipset)

Most system administrators will already be familiar with iptables. It is around for quite a while, and by default enabled within the Linux kernel. Within this article we are going to configure iptables to block one or multiple IP addresses. This may come in handy when you get repeating port scans or see failed login attempts in your log files.

Check existing iptables configuration

The first step is to validate existing iptables rules. We will use an empty ruleset for test purposes.

iptables -L

Output of iptables rules

Manually blocking a single IP address

The first option to permanently block an IP address is by creating a rule in the INPUT chain. This way traffic is no longer allowed from that particular IP address.

iptables -I INPUT -s 192.168.1.100 -j DROP

Although this option works great, it might not scale very well. You might even get a very long list of IP addresses to block after a while. Let’s have a look at ipset.

Using blacklists with iptables and ipset

Another option is creating a blacklist. This way we can add multiple systems we no longer want to connect to our systems.

Install ipset utility

Most Linux systems do not have the ipset utility installed by default. So first install that toolkit.

CentOS

yum install ipset

You may need to install the epel-release package first.

Debian and Ubuntu

apt-get install ipset

Creating a blacklist

With the newly installed ipset utility we create a new list. We name it blacklist to show its purpose.

# Create blacklist with ipset utility (once)
ipset create blacklist hash:ip hashsize 4096

After the blacklist is created, we can use the set in iptables. It is related to the –match-set option.

# Set up iptables rules. Match with blacklist and drop traffic
iptables -I INPUT -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP

Iptables with blacklists to block some IP addresses

These commands will add the blacklist (or set) to the INPUT and FORWARD chains. As this is a blacklist, the related policy is to drop traffic. No output will be displayed when entering the commands.

Create iptables blacklist for blocking IP addresses

Adding IP addresses to block

Next step is adding actual IP address to the list:

# Add a specific IP address to your newly created blacklist
ipset add blacklist 192.168.1.100

Show details

To confirm the blacklist contains the IP address, use the ipset list command.

Output of ipset command showing blacklist

In this screenshot, we can see the IP address is listed as a member of the set. Now traffic should be blocked.

When setting up a blacklist like this, always test it. You want to be sure that the blacklist is enforced in your specific configuration.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


3 comments

  • TechTech

    Thank you that worked out fantastic.

    Reply
  • Stanislav PanayotovStanislav Panayotov

    I’m using this heavy duty bash script as root for some like 15 minutes:

    curl -s https://www.iblocklist.com/lists.php
    | grep -A 2 Bluetack
    | sed -n “s/.*value='(http:.*)’.*/1/p”
    | xargs wget -O –
    | gunzip
    | egrep -v ‘^#’ > blacklist
    grep -Eo ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’ blacklist > blacklist-ip
    grep -Eo ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}[-][0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’ blacklist > blacklist-ip-range
    sed -i -E “s/[-][0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.///” blacklist-ip-range

    sort blacklist-ip | uniq -u > blacklist-ip-sorted
    sort blacklist-ip-range | uniq -u > blacklist-ip-range-sorted
    while read IPADDR
    do
    route add $IPADDR gw 127.0.0.1 lo &
    done < blacklist-ip-range-sorted

    while read IPADDR
    do
    route add $IPADDR gw 127.0.0.1 lo &
    done < blacklist-ip-sorted

    rm blacklist-ip
    rm blacklist-ip-sorted
    rm blacklist-ip-range
    rm blacklist-ip-range-sorted

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *