There are a few different ways to block an IP address in Debian / Ubuntu. This article describes one way to block an IP address using the null routing reject command.
Temporally Block An IP Address
Use the following command to temporally block an IP address. To permanently block an IP address, see the section “Permanently Block an IP Address” below.
/sbin/route add -host 192.168.1.100 reject
Replace 192.168.1.100 with the IP address that you would like to block.
Block An IP Subnet
Use the following command to block an IP subnet.
/sbin/route add -net 192.168.1.0/24 reject
Unblock An IP Address
Use the following command to unblock an IP address.
/sbin/route del -host 192.168.1.100 reject
– or –
/sbin/route delete 192.168.1.100
Replace 192.168.1.100 with the IP address that you would like to unblock.
List Blocked IP Addresses
If you need to see a list of the current blocked IP’s via route, use the command below.
/sbin/route -n
– or –
netstat -nr
Note: Not everything listed using the above command is a blocked IP address.
Permanently Block an IP Address
When using the method above, the blocked IP address routing will be lost once your server is rebooted. To fix this we need to place two lines of code in the /etc/network/interfaces file.
vi /etc/network/interfaces
Find the interface you are using (i.e. – eth0, eth1, bond0, etc.), and add this to the end of the section. Don’t forget to add the actual IP address that needs to be blocked in place of 192.168.1.100.
up route add -host 192.168.1.100 reject down route del -host 192.168.1.100 reject
Restart the networking daemon.
service networking restart
Permanently Block an IP Subnet
vi /etc/network/interfaces
Find the interface you are using (i.e. – eth0, eth1, bond0, etc.), and add this to the end of the section. Don’t forget to add the actual IP address and subnet that needs to be blocked in place of 192.168.1.0/24.
up route add -net 192.168.1.0/24 reject down route del -net 192.168.1.0/24 reject
Restart the networking daemon.
service networking restart