I have a few ip ranges to which I want my server to able to connect and users to connect from. Everything else should be blocked.

How should I do that with iptables?

My OS is Debian based linux distribution.

Frank Bannister
  • 361
  • 1
  • 3
  • 3

5 Answers5


I'd suggest grabbing a firewall configuration tool, such a Firestarter, and going from there. Here are some basics for you, though.

#Flush existing rules
iptables -F
# Set up default DROP rule for eth0
iptables -P INPUT DROP
# Allow existing connections to continue
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept everything from the 192.168.1.x network
iptables -A INPUT -i eth0 -s -j ACCEPT
# Allow connections from this host to
iptables -A OUTPUT -o eth0 -d -j ACCEPT
Pro Backup
  • 914
  • 4
  • 15
  • 33
  • 622
  • 5
  • 11
  • 3
    You know you can format your code in serverfault posts, using the 101010 button. That way your comments won't come out as shouting. Just select (drag your mouse over) the code and then click the 101010 button above the text field. – Jason Tan Jun 23 '09 at 16:22
  • 2
    Ahhh thank you, I didn't realize that. Now I know :) – Zenham Jun 24 '09 at 15:45
  • 2
    +1 for EXISTING,RELATED - too many people don't do this. – Alnitak Jun 24 '09 at 15:49
  • +1, how do you indicate allowed port as well? Is that the part that has "iptables -A INPUT -i eth0 -s -j ACCEPT" the /24? Thanks! – King Friday Apr 01 '14 at 15:52
  • I think the /24 is the [network mask](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) – Elouan Keryell-Even Jul 28 '16 at 14:43
  • 4
    For the love of god, please set the default DROP rule LAST! I locked myself (and everything else!) out of a machine by following that order of operations. – Bendoh Aug 11 '16 at 20:08
  • 1
    Terrible answer. OP says nothing about dropping all current connections. Now I'm locked out because I assumed the top answer made sense. – omikes Sep 11 '16 at 16:38
  • This is why I love serial access to cloud servers... I've locked myself out due to out of disk space, sshd misconfiguration and losing keys. Having had iptables related lockouts, yet. – Ray Foss Sep 11 '20 at 10:24
iptables -I INPUT -s <allowed_ip> -j ACCEPT #(repeat this line as needed)
iptables -P INPUT DROP

This will turn your system into a non-existent system for non-allowed computers.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
  • Note that blindly applying this these and other comparable rules can interfere with the popular `sudo` command, which may fail when it cannot resolve the local host. This can be mitigated by specifying the externally-facing interface with `-i` or explicitly allowing access from `lo`. – ti7 Feb 26 '20 at 19:35

If you want to allow arbitrary ranges rather than entire subnets, you can use the 'iprange' iptables module:

iptables -P INPUT DROP

iptables -A INPUT -m iprange --src-range -j ACCEPT

for example, will allow traffic coming from all machines with addressess between and

If you want to allow incoming and outgoing traffic to the same range of IP's, I'd suggest that you create a specific chain allowing that IPs and targeting all the input and output target to it:

--define the default policies to drop everithing:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

--create the new chain:

iptables -N allowed_ips

--if the source is part of the allowed range, accept

iptables -A allowed_ips -m iprange --src-range -j ACCEPT

--if not, return to the caller chain to continue processing

iptables -A allowed_ips -j RETURN

--make all traffic entering and leaving the machine go through our new chain

iptables -A INPUT -j allowed_ips

iptables -A OUTPUT -j allowed_ips

and that's it! of course you may need aditional rules, such as one allowing all traffic from/to the lo interface, etc.

  • 89
  • 3

Once you are happy with your rules, you probably want to save them. The comments in this link have several options on how to do that.

An easy to use iptables rules generator for simple needs is ufw. The package is available in debian unstable.

Also try Firestarter. Available in lenny.

Not Now
  • 3,532
  • 17
  • 18

You may also use ferm which I also use for the past year and has helped me a lot with cases such as conditional firewall rules.

  • 273
  • 3
  • 8
  • 1,644
  • 4
  • 20
  • 30