In server computing, a network interface refers to a hardware or software component that enables communication between the server and a network. It serves as the interface or connection point between the server and the network infrastructure, allowing the server to send and receive data over the network.
iptables
is a powerful and flexible firewall management tool in Linux. If you want to block connections to specific network interfaces using iptables
, you can use rules to filter incoming and outgoing traffic.
Here are some general steps to block connections to a network interface in Linux
Identify the Network Interface
First, identify the network interface you want to block. You can use the ip
command to list the available network interfaces:
ip a
The ip a
command displays information about network interfaces on a Linux system. The output typically looks like the following:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 12:34:56:78:90:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::3456:7890:ab%eth0/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether de:ad:be:ef:12:34 brd ff:ff:ff:ff:ff:ff
In this example:
lo
is the loopback interface.eth0
is an Ethernet interface with the IP address 192.168.1.2.wlan0
is a wireless interface currently in the DOWN state.
If you want to display only the network interfaces and their statuses without the detailed information, you can use the ip
command with the link
option. Here’s the command:
ip link show
This command will output a simpler list that includes only the network interface names and their states. For example:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
In this output, you can see the interface names (lo
, eth0
, wlan0
) and their respective states (UP
, UP
, DOWN
).
Install iptables (if not installed):
First, you need to check if iptables is installed
iptables --version
The following would be the output of the above command:
root@ubuntu-c-4-8gib-nyc3-01:~# iptables --version
iptables v1.8.7 (nf_tables)
If it’s not installed, you can run the following command;
sudo apt install iptables
Block Incoming Connections
Use the following command to block incoming connections to a specific network interface. Replace INTERFACE_NAME
with the actual name of your network interface:
sudo iptables -A INPUT -i INTERFACE_NAME -j DROP
This rule appends (-A
) a DROP action for incoming traffic (INPUT
) on the specified network interface (-i INTERFACE_NAME
).
Block Outgoing Connections
If you also want to block outgoing connections on the specified network interface, use a similar command with the -o
option:
sudo iptables -A OUTPUT -o INTERFACE_NAME -j DROP
This rule appends a DROP action for outgoing traffic (OUTPUT
) on the specified network interface (-o INTERFACE_NAME
).
Save Changes
To make sure your changes persist across reboots, save the iptables
rules. The method varies based on your distribution.
On Debian/Ubuntu-based systems:
sudo service iptables-persistent save
On Red Hat/CentOS systems:
sudo service iptables save
Verify Rules
Check the current iptables
rules to verify that the blocking rules have been applied:
sudo iptables -L
. If you’ve blocked connections to network interfaces using iptables
, the output may include entries similar to the following:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere /* Block incoming on eth0 */
DROP all -- anywhere anywhere /* Block incoming on wlan0 */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere /* Block outgoing on eth0 */
DROP all -- anywhere anywhere /* Block outgoing on wlan0 */
Undo Changes (if needed)
If you want to remove the blocking rules, you can use the following commands:
sudo iptables -D INPUT -i INTERFACE_NAME -j DROP
sudo iptables -D OUTPUT -o INTERFACE_NAME -j DROP
These commands delete (-D
) the specified rules from the INPUT and OUTPUT chains.