93

I've never used iptables, and the documentation online seems a bit opaque.

I'd like to block all requests to port 8000 on my server except those coming from a specific IP address. How do I do that using iptables?

will
  • 3,103
  • 4
  • 25
  • 30
  • 3
    // , Would you be so kind as to share a link to the opaque documentation? – Nathan Basanese Dec 14 '15 at 22:38
  • I know this is an old question but please consider moving this question to ServerFault. Thank you! – Valerio Bozz Nov 02 '22 at 13:01
  • I’m voting to close this question because From the iptables tag: IPTABLES SUPPORT IS OFF-TOPIC. [What topics can I ask about here?](https://stackoverflow.com/help/on-topic) Support questions may be asked on https://superuser.com. Use this tag only for questions on programming with iptables. Questions about configuring iptables should be asked on Server Fault (https://serverfault.com/). Please delete this. – Rob May 30 '23 at 11:28

3 Answers3

172

This question should be on Server Fault. Nevertheless, the following should do the trick, assuming you're talking about TCP and the IP you want to allow is 1.2.3.4:

iptables -A INPUT -p tcp --dport 8000 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Jon Bright
  • 13,388
  • 3
  • 31
  • 46
  • 3
    How would you go about reversing this ip/port restriction you've setup here? (in case I want to undo this in the future) – tester Aug 17 '13 at 02:47
  • 4
    tester, to remove stuff, refer to this - http://stackoverflow.com/questions/10197405/iptables-remove-specific-rules – Quest Monger Jan 16 '14 at 21:08
  • 2
    I know this is relatively old, and this totally nailed what i needed. And since the answer has been accepted anyways, how do you do the same thing with a specific IP range? Thanks! :) – jagc Jun 25 '14 at 09:44
  • 1
    @JiegoCordoviz You can add a mask to the source address: "-s 1.2.3.0/24" will accept from anything starting with "1.2.3.". Search for "netmask calculator" if you have a range and want to work out a netmask. – Jon Bright Jul 04 '14 at 08:31
  • why might this not be working? – Dave Ankin Jun 06 '22 at 12:49
19

Another alternative is;

sudo iptables -A INPUT -p tcp --dport 8000 -s ! 1.2.3.4 -j DROP

I had similar issue that 3 bridged virtualmachine just need access eachother with different combination, so I have tested this command and it works well.

Edit**

According to Fernando comment and this link exclamation mark (!) will be placed before than -s parameter:

sudo iptables -A INPUT -p tcp --dport 8000 ! -s 1.2.3.4 -j DROP
Community
  • 1
  • 1
HRgiger
  • 2,750
  • 26
  • 37
7

You can always use iptables to delete the rules. If you have a lot of rules, just output them using the following command.

iptables-save > myfile

vi to edit them from the commend line. Just use the "dd" to delete the lines you no longer want.

iptables-restore < myfile and you're good to go.

REMEMBER THAT IF YOU DON'T CONFIGURE YOUR OS TO SAVE THE RULES TO A FILE AND THEN LOAD THE FILE DURING THE BOOT THAT YOUR RULES WILL BE LOST.

Alexander Reznikov
  • 1,266
  • 1
  • 14
  • 23
RecentCoin
  • 316
  • 3
  • 5
  • 3
    On Debian there is no iptables-load, but iptables-restore `iptables-restore < myfile` // https://wiki.debian.org/iptables – Fedir RYKHTIK Mar 31 '15 at 16:56