Quick, practical steps to deny traffic from malicious IP ranges using iptables. 16.11.2025 | reading time: 2 min A short, hands-on guide that shows how to deny entire IP ranges with iptables so the system stops talking to attackers before they strain services. Concrete example An office server sees repeated SSH brute-force from the IPv4 block 203.0.113.0/24; block the whole range and verify the rule with these commands: ``` sudo iptables -I INPUT 1 -s 203.0.113.0/24 -j DROP sudo iptables -L INPUT -n --line-numbers # sample output Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 203.0.113.0/24 0.0.0.0/0 ``` Tweaks and caveats Order matters: iptables scans rules top-to-bottom, so use `-I` to insert critical blocks at the top or `-A` to append; prefer `-s` to specify source ranges and combine `-p tcp --dport 22` to limit blocks to a service; for IPv6 use `ip6tables`; for large lists use ipset to avoid performance bottlenecks; persist rules with `iptables-save`/`iptables-restore` or your distribution's firewall service; log suspicious traffic with `-j LOG` before dropping if you need traces. Related approaches iptables is powerful but not the only way: nftables is the modern successor with similar capabilities and improved syntax, ipset stores thousands of addresses efficiently, and tools like fail2ban automate temporary blocks by updating firewall rules based on log patterns. Next steps Try blocking a small test range on a lab VM, then expand to ipset for many entries and practice rule persistence; deepen skills by studying netfilter architecture and consider formal certification to validate them, for example CompTIA Linux+ or LPIC-1, and explore intensive exam prep at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. network security utilities
