Almost every Linux installation runs some kind of firewall to create and manage complicated traffic rules. However, these work by manipulating the underlying system called “iptables”. It’s a comprehensive tool that comes installed with Linux distributions by default. However, it can be a bit difficult to get a handle on. The commands to add rules, the terminology used etc can get pretty complicated.
In this article, I’ll show you how to do the following things with iptables:
- Block an IP Address;
- Log it;
- Delete Rules from IPTables.
Setting up the Test IP Address
In this example, I use two devices to test IPTables. I have my laptop running a VPN, and my phone. Here is my current home address:
I’m going to use IP tables to block this address. But since I still need to access the server via SSH, I’ll be connecting over a VPN so that I can still run commands. But my phone will still be using the above address. First, you can see that I’m able to access the Apache server on both my laptop and phone using the IP address of my test Linux server:
So now our test environment is set up.
Setting up Logging Traffic from an IP Address
The first step I want to do is log all traffic coming from 184.108.40.206 . To do this, I type the following command into my Linux terminal, running as root:
iptables -A INPUT -s 220.127.116.11 -j LOG --log-prefix "Testing "
Here’s an explanation of what’s happening.
- The “-A” option indicates that we want to append a new rule to iptables. Specifically, it applies to incoming packets. Hence the keyword INPUT..
- Next, the “-s” option tells the system that this rule only applies to packets originating from that specific IP address.
- “-j” stands for “Jump”. It basically specifies the action we want to run for the packets that match this particular rule. In this case, we want to log the traffic, so we use the keyword “LOG”.
- Finally, the “–log-prefix” parameter is used to append a string to the log entry. This allows us to easily find the line in large files. I just use the string “Testing ” here. Note how I place a space before the closing quotation mark for the string. It just makes the subsequent log entries easier to read.
The log file locations for Linux can depend on the distribution. For RHEL/CentOS, the file is located at:
If you’re on Ubuntu, the file is placed here:
Now when I access my Linux server from my phone which has the IP address first noted above, I can open the relevant log file, and search for the specific tag (In this case “Testing “), to see the log entry. Here’s the entry on my CentOS system.
You can see that the “SRC” contains the IP address of my phone and the entry has the keyword “Testing ” inside it. Now that we know how to log these visits, it’s time to learn how to block them.
Blocking IP Address After Logging
The “LOG” instruction is non-terminating. It means that we can apply another rule to the traffic to determine what happens to it. To block all traffic from the same address, I use the following command:
iptables -A INPUT -s 18.104.22.168 -j DROP
This is almost the same as the previous one. The only difference is that the “jump” action here is DROP instead of LOG. After typing in this command, all traffic from 22.214.171.124 is dropped without warning. Here’s what my browser shows this time:
As you can see, there’s no error message. No “404”, or “503” or whatever. Everything is just blocked. It also uses up the least server resources.
Removing the Rules from IPTables
Removing rules we placed into IPTables can be a bit tricky. But here’s the best way I’ve found. First, get the line numbers of the rules we want to delete using the following command:
iptables -L --line-numbers
This will show you all the IPTables rules with a line number appended to them. Like this:
We want to remove line numbers “1” and “2”. To delete line number 1, we use the following:
iptables -D INPUT 1
HOWEVER, after it’s been deleted, the line numbers for the remaining rules after it have changed! So to delete line number 2, we need to issue the same command once again, because “2” became “1”. You can check and see for yourself.
So we run the same command again to remove both the rules we just generated.
Saving the IPTable Rules
The IPTables rules you create from the command line will be wiped out the next time you reboot your system. To save them, type the following command on RHEL/CentOS:
service iptables save
Ubuntu and other distributions typically require additional software to save and restore changes easily. Otherwise it can be quite a pain!
So that’s how we block, log, and delete rules for specific IP addresses in Linux. Most of the time you’ll be doing all this using a dedicated firewall program. But sometimes you need to make the rules directly in IPTables, and this article will help you do just that.