Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

Linux: Block Network Access

January 3, 2026

TL;DR

This guide shows you how to block network access to specific hosts using Linux’s kernel-level features, specifically iptables and ip6tables. This is more robust than simply editing configuration files as it works at a lower level.

Blocking with iptables/ip6tables

  1. Understand the Basics: iptables handles IPv4 traffic, while ip6tables manages IPv6. You’ll likely need to use both if your system supports both protocols. These tools work by creating rules that determine what happens to network packets.
    • Chains: Rules are organised into chains (e.g., INPUT, OUTPUT, FORWARD). INPUT controls incoming traffic, OUTPUT outgoing, and FORWARD traffic passing *through* the system.
    • Tables: Chains belong to tables (e.g., filter, nat, mangle). The ‘filter’ table is most common for blocking.
  2. Identify the Host(s) IP Address(es): You need the exact IP address of the host you want to block. Use tools like ping or nslookup if you only have a hostname: 
    ping example.com
  3. Block Incoming Traffic (IPv4): This prevents the host from initiating connections *to* your system. 
    sudo iptables -A INPUT -s <host_ip_address> -j DROP

    Replace <host_ip_address> with the actual IP address. The `-A` flag appends the rule to the end of the INPUT chain, and `-j DROP` tells iptables to discard the packets.

  4. Block Outgoing Traffic (IPv4): This prevents your system from initiating connections *to* the host. 
    sudo iptables -A OUTPUT -d <host_ip_address> -j DROP

    Replace <host_ip_address> with the actual IP address. The `-d` flag specifies the destination IP.

  5. Block Incoming Traffic (IPv6): Repeat step 3 for IPv6 using ip6tables: 
    sudo ip6tables -A INPUT -s <host_ipv6_address> -j DROP
  6. Block Outgoing Traffic (IPv6): Repeat step 4 for IPv6 using ip6tables: 
    sudo ip6tables -A OUTPUT -d <host_ipv6_address> -j DROP
  7. Verify the Rules: Check that your rules have been added correctly. 
    sudo iptables -L INPUT
    sudo ip6tables -L INPUT

    This will list all rules in the INPUT chain. Look for your newly added rule(s).

  8. Make the Rules Persistent: By default, iptables and ip6tables rules are lost on reboot. You need to save them.
    • Debian/Ubuntu: Install iptables-persistent: 
      sudo apt update && sudo apt install iptables-persistent

      During installation, it will ask if you want to save the current rules. Say 'yes'.

    • CentOS/RHEL/Fedora: Use systemctl enable iptables and iptables-save > /etc/sysconfig/iptables (and similarly for ip6tables). 
      sudo systemctl enable iptables
      sudo iptables-save > /etc/sysconfig/iptables
  9. Removing Rules: To remove a rule, you can use the `-D` flag followed by the chain name and the exact rule. It's easiest to find the line number of the rule using iptables -L --line-numbers. 
    sudo iptables -D INPUT <line_number>

Important Considerations

  • Order Matters: Rules are processed in order. Make sure your blocking rules are placed correctly to avoid unintended consequences.
  • Testing: Always test your rules thoroughly before relying on them in a production environment.
  • cyber security best practice: Consider using more sophisticated firewalls like nftables for greater flexibility and performance, especially if you have complex requirements.
6
Share:
Related posts
Cyber Security

Zip Codes & PII: Are They Personal Data?

January 3, 2026
Cyber Security

Zero-Day Vulnerabilities: User Defence Guide

January 3, 2026
Cyber Security

Zero Knowledge Voting with Trusted Server

January 3, 2026
Cyber Security

ZeroNet: 51% Attack Risks & Mitigation

January 3, 2026

© Copyright G5 Cyber Security, Protecting businesses and families from data breaches.