top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Disabling an IP using IPTABLE

+2 votes
539 views

I am trying to do the following -
1. script_1 which can be executed to at the start to enable all IPs.
2. Whenever we want to block an IP we should call script_2 to block the IP.
3. Whenever we want to unblock an IP we should call script_3 to unblock.
4. script_4 to take the snapshot of the IPtable.

posted Nov 26, 2013 by Salil Agrawal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+2 votes

Step1 : Initialize IPTABLE

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT

Step 2: Block the traffic from an IP

iptables -I INPUT 1  -s <IP> -j DROP

Step 3: Commit the changes

/sbin/service iptables save
answer Nov 26, 2013 by Meenal Mishra
Similar Questions
+2 votes

We suffer from DNS lookups with a response IP address which is not existing. Can Iptables check on this?

+1 vote

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:

100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding to different port ranges or if you have to use individual rules.

+1 vote

I am trying to use byte counters to know how much total data is transferred from an IP. However, simple test with ping shows that it counts 14 bytes less, probably ignoring later 2 header.

Is my understanding correct or am I missing something in this?

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

+2 votes

I have some issue with module (owner) in iptables v1.4.14

Current rule fails:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner usergroup -j DNAT --to-destination x.x.x.x:80;
I tried to use numeric gid, it failed too..

But this rule works fine:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --uid-owner user -j DNAT --to-destination x.x.x.x:80;

Is it a BUG or I am missing something?

...