Ugacomp

How to use iptables to block connections to network interfaces

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM

CLOUD VPS M

$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM

CLOUD VPS L

$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

In server computing, a network interface refers to a hardware or software component that enables communication between the server and a network. It serves as the interface or connection point between the server and the network infrastructure, allowing the server to send and receive data over the network.

iptables is a powerful and flexible firewall management tool in Linux. If you want to block connections to specific network interfaces using iptables, you can use rules to filter incoming and outgoing traffic.

Here are some general steps to block connections to a network interface in Linux

Identify the Network Interface

First, identify the network interface you want to block. You can use the ip command to list the available network interfaces:

ip a

The ip a command displays information about network interfaces on a Linux system. The output typically looks like the following:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 12:34:56:78:90:ab brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::3456:7890:ab%eth0/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether de:ad:be:ef:12:34 brd ff:ff:ff:ff:ff:ff

In this example:

  • lo is the loopback interface.
  • eth0 is an Ethernet interface with the IP address 192.168.1.2.
  • wlan0 is a wireless interface currently in the DOWN state.

If you want to display only the network interfaces and their statuses without the detailed information, you can use the ip command with the link option. Here’s the command:

ip link show

This command will output a simpler list that includes only the network interface names and their states. For example:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000

In this output, you can see the interface names (lo, eth0, wlan0) and their respective states (UP, UP, DOWN).

Install iptables (if not installed):

First, you need to check if iptables is installed

iptables --version

The following would be the output of the above command:

root@ubuntu-c-4-8gib-nyc3-01:~# iptables --version
iptables v1.8.7 (nf_tables)

If it’s not installed, you can run the following command;

sudo apt install iptables

Block Incoming Connections

Use the following command to block incoming connections to a specific network interface. Replace INTERFACE_NAME with the actual name of your network interface:

sudo iptables -A INPUT -i INTERFACE_NAME -j DROP

This rule appends (-A) a DROP action for incoming traffic (INPUT) on the specified network interface (-i INTERFACE_NAME).

Block Outgoing Connections

If you also want to block outgoing connections on the specified network interface, use a similar command with the -o option:

sudo iptables -A OUTPUT -o INTERFACE_NAME -j DROP

This rule appends a DROP action for outgoing traffic (OUTPUT) on the specified network interface (-o INTERFACE_NAME).

Save Changes

To make sure your changes persist across reboots, save the iptables rules. The method varies based on your distribution.

On Debian/Ubuntu-based systems:

 sudo service iptables-persistent save 

On Red Hat/CentOS systems:

sudo service iptables save

Verify Rules

Check the current iptables rules to verify that the blocking rules have been applied:

sudo iptables -L

. If you’ve blocked connections to network interfaces using iptables, the output may include entries similar to the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Block incoming on eth0 */
DROP       all  --  anywhere             anywhere             /* Block incoming on wlan0 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Block outgoing on eth0 */
DROP       all  --  anywhere             anywhere             /* Block outgoing on wlan0 */

Undo Changes (if needed)

If you want to remove the blocking rules, you can use the following commands:

sudo iptables -D INPUT -i INTERFACE_NAME -j DROP
sudo iptables -D OUTPUT -o INTERFACE_NAME -j DROP

These commands delete (-D) the specified rules from the INPUT and OUTPUT chains.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.
 

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.