Blocking an IP in Linux Firewall
Securing the infrastructure is one of the main duties of a system administrator. Fortunately, Linux is superior in terms of security compared to other operating systems, and this distinguishing feature of Linux is a strong reason for choosing Linux VPS as the ideal operating system for the server. However, you may need tools that are developed to increase security. Firewalls are one of the effective tools for system security that act as a barrier between internal and external networks and manage and control the flow of incoming and outgoing network traffic in the Linux system.
Firewalls allow users to block and filter IP addresses and ports that breach your security and protect your system from unauthorized access and possible attacks. Most Linux distributions use a firewall based on creating rules, such as iptables (a filtering tool and managing NAT and IPv4 packets), UFW firewall (a tool for blocking IP addresses and ports), and firewalld by default so that through these powerful tools, users can block or allow the incoming and outgoing data packets of the network by defining rules based on various criteria such as source IP, destination IP, port number and other things and control the network traffic.
Also, by using these advanced Linux firewalls, users can detect intrusions and attacks and reduce potential security breaches, suspicious activities, and intrusions. This tutorial will teach you how to block IP addresses in a Linux firewall and improve your system security.
How to block IP in Linux with iptables?
As you know, and we have already talked about how to use iptables Firewall, blocking IP addresses in Linux using iptables firewall includes creating rules based on filtering, blocking, and allowing network traffic based on criteria such as ports, Protocols, and IP addresses. This part of the article provides a step-by-step guide to block the IP address in various Linux distributions, such as Ubuntu, Debian, CentOS, Fedora, etc., through the iptables firewall.
It is worth mentioning that you must have root/sudo privileges to make changes to firewall rules and block IP addresses. So log into the Linux terminal with Root/Sudo user privileges and follow the steps below:
1. Check Existing Rules (Optional)
To block a specific IP address, it is recommended to first check the pre-defined iptables rules so that no rules have been set for the desired IP address. For this purpose, use the following command:
sudo iptables -L
The previous command’s output shows the iptables rules containing source, destination, and target titles.
2. Block the IP in Linux
DROP or REJECT targets are used in the iptables firewall to block IP address access to your server. If you want to receive an ICMP “host unreachable” response when discarding packets, use the REJECT target, but if you don’t want to receive a response, use the DROP target. The main syntax for blocking an IP address in iptables is as follows:
sudo iptables -A INPUT - s <IP ADDRESS> -j DROP
Or
sudo iptables -A INPUT -s <IP ADDRESS> -j REJECT
Replace the IP address you want to block in <IP ADDRESS>.
-A option: to add the rule to the end of the iptables chain.
-s option: Specifies the source IP address.
-j option: Specifies the function of Iptables for filtering based on specific criteria for network traffic, which instructs the system to drop incoming packets from the desired IP address in the purpose of DROP.
Blocking specific IP addresses on specific ports with iptables
You can block specific IP addresses on a particular port with the iptables firewall; for this, run the following command:
iptables -A INPUT -s IP-ADDRESS -p tcp --destination-port port_number -j DROP
For example, if you want to block the IP address 192.168.1.100 on port 80 using the iptables firewall, you must run the following command:
iptables -A INPUT -s 192.168.1.100 -p tcp --destination-port 80 -j DROP
Blocking IP Ranges with iptables
The iptables firewall allows users to block the range of IP addresses; for this purpose, enter the following command:
sudo iptables -A INPUT -s <IP RANGE> -j DROP
3. Save the Rules
After setting a new rule in iptables firewall, you must save the rule to ensure that the rule persists across reboots. The method of saving rules is different based on your Linux distribution. To save the rules added to iptables on Debian/Ubuntu systems, run the following commands:
sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
sudo netfilter-persistent save
Use theiptables-save
command to save iptables rules in CentOS/RHEL/Fedora systems; since these rules are usually saved in the /etc/sysconfig/iptables file, run the following command to save iptables rules in CentOS/RHEL/ Fedora:
sudo iptables-save > /etc/sysconfig/iptables
You can also use the following command to save iptables rules in CentOS/RHEL/Fedora system:
service iptables save
By running the previous command, the rules set in iptables will permanently remain after the system reboot.
4. Verify the new setting of rules
After setting the new rule in iptables, ensure that the new rule is added to the list of iptables rules by running the following command:
sudo iptables -L
After blocking the desired IP address, test the access to your system from the blocked IP address to ensure the specified IP address is blocked.
Note: iptables evaluates the set rules in order, so the rules with the highest position in the list of rules have priority.
5. Removing iptables rules
If you decide to remove the restriction applied to a specific IP address and delete the rules you created in iptables for various reasons, Use the following command:
sudo iptables -D INPUT -s <IP ADDRESS> -j DROP
How to block IP addresses in Linux with UFW?
UFW stands for Uncomplicated Firewall, it is one of the default and native Linux firewalls that was developed to simplify work with iptables. Since working with the powerful and flexible Iptables tool may be a bit complicated for Linux beginners, they can set and manage rules and restrictions on network traffic through the simple and fast user interface of the UFW firewall instead of using the iptables firewall. UFW is a powerful firewall configuration tool that allows users to set firewall rules for IPv4 and IPv6 addresses. This part of the article will teach how to block IP addresses in the UFW Linux firewall.
1. Check if UFW is installed and enabled: Open the Linux terminal by pressing the Ctrl+Alt+T buttons and check if UFW is installed in your distribution. If your Linux system does not support UFW by default, install UFW on your Linux system using your distribution’s package manager.
2. Enable UFW: If the UFW firewall is not enabled, enable it in Ubuntu/Debian by running the following command:
sudo ufw enable
3. Add a rule to block the IP address: Theufw deny
command is used to deny traffic from a specific IP address, which main syntax is as follows:
ufw deny from < ip-address >
Replace <ip-address> with the IP address you want to block.
4. Block the specific port for IP address: You can also block incoming traffic from a particular IP address on a specific port; for this purpose, you must use the following command:
ufw deny from <ip-address> to any port <port-number>
5. Check the rules: To ensure that the new rule is added to the list of UFW rules, run the following command:
sudo ufw status
6. Reload UFW: For changes to take effect, reload UFW after checking the list of rules and making sure that the desired IP address is added to the list of blocked IP addresses:
sudo ufw reload
UFW rules don’t disappear after the system reboots. Don’t worry about this Issue because your changes will be applied permanently.
7. Delete the newly added rule (if needed): If you decide to delete your created rules in the UFW firewall for various reasons in Ubuntu/Debian, first view a list of UFW rules that are numbered:
ufw status numbered
Then, delete the rule you want by typing the number of the line containing the desired rule in the following command. For example, to delete rule number 3, run the following command:
ufw delete 3
Enter the following command to apply changes to the UFW firewall:
ufw reload
How to block Linux IP addresses in Firewalld?
Firewalld or Firewall Dynamic is a Linux Host-based firewall that uses a command line named firewall-cmd to set and manage rules and is controlled through a D-bus interface and graphical environment. Firewalld is a frontend controller for iptables and a dynamic version of iptables that executes rules in a stable network and supports IPv4 and IPv6. The difference between Firewalld and iptables is that unlike iptables, which uses Chain and Rules, Firewalld uses Zones and Services. In general, Firewalld offers users better and simpler management capabilities than iptables. You will learn how to block IP addresses in Firewalld in this section of the article:
1. Install Firewalld if it is not already installed
First, check if Firewalld is installed or not. If it is not installed, you can set up Firewalld from the official repositories of different Linuxes with the help of the package manager of the distribution you are using. For example, to install Firewalld in Debian/ Ubuntu, enter the following command:
sudo apt-get install firewalld
2. Start firewalld
Use the following command to enable Firewalld in Linux Ubuntu/Debian so that it starts when the system boots:
sudo systemctl start firewalld
sudo systemctl enable firewalld
3. List your active zones
As we mentioned, you are dealing with zones in firewalld, so you must first identify the zone of your network interface. To check active zones, run the following command:
sudo firewall-cmd --get-active-zones
4. Block the IP address
To add a new rule to block IP addresses in the zone identified in Step 3, use the “--add-rich-rule
” option:
sudo firewall-cmd --zone=your-zone --add-rich-rule='rule source ipset=blacklist drop'
As a result, through this command, packets are dropped from the specified IP address. To create a custom IP set to block multiple IP addresses, replace the blacklist with the name of your choice. You can also block a specific IP address in Firewalld by using the-permanent
option to make a permanent change and the--add-rich-rule
option:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="X.X.X.X" reject'
5. Apply the changes
After adding a new rule to Firewalld, you must reload Firewalld to apply Firewalld configuration changes:
sudo firewall-cmd --reload
After restricting incoming traffic from a specific IP address, you can test access to your system from the blocked IP address or check firewall logs for dropped packets.
Conclusion
Default Linux firewalls such as iptables, UFW, and Firewalld are powerful tools that provide valuable capabilities for filtering network packets and limiting network traffic and connections. Iptables allows users to manage and filter network traffic by defining rules to filter network packets. Although iptables is a powerful tool for increasing system security, it is complicated for many users to configure and set rules in iptables. Efficient firewalls UFW and Firewalld are good alternatives to iptables that simplify the management and configuration of rules, so UFW and Firewalld are usually recommended for novice users to set restrictions and filters.
Please be careful when blocking an IP address with a firewall, and make sure you are blocking malicious IP addresses and illegal traffic because if you do it wrong, you may disrupt normal network traffic and experience unwanted consequences. Therefore, have a valid reason for blocking the IP address and consider the potential effects of blocking the IP address in the network. Which Linux firewall are you most comfortable with? Which one do you recommend to Linux beginners for blocking IP addresses?