How to Block All Outbound Traffic from a Specific NIC Using iptables on Linux


2 views

When working with multi-homed Linux systems, there are cases where you need to restrict outbound traffic from a specific network interface. This is common in:

  • Security gateway configurations
  • Network segmentation setups
  • Traffic routing control
  • Testing environments

The fundamental syntax for blocking outbound traffic on a specific interface is:

iptables -A OUTPUT -o eth1 -j DROP

Let's break this down:

  • -A OUTPUT - Appends to the OUTPUT chain
  • -o eth1 - Matches traffic leaving via eth1
  • -j DROP - Drops matching packets

For a production environment, consider these additional measures:

# Flush existing OUTPUT chain rules
iptables -F OUTPUT

# Block all outbound traffic on eth1
iptables -A OUTPUT -o eth1 -j DROP

# Allow local loopback traffic
iptables -A OUTPUT -o lo -j ACCEPT

# Save rules for persistence (Debian/Ubuntu)
iptables-save > /etc/iptables.rules

To confirm the rules are working:

# List current iptables rules
iptables -L -v -n

# Test connectivity through the blocked interface
ping -I eth1 8.8.8.8  # Should fail
ping -I eth0 8.8.8.8  # Should succeed

For more complex scenarios:

# Block only TCP traffic
iptables -A OUTPUT -o eth1 -p tcp -j DROP

# Block with logging
iptables -A OUTPUT -o eth1 -j LOG --log-prefix "Blocked outbound eth1: "
iptables -A OUTPUT -o eth1 -j DROP

On systemd-based distributions:

# Install persistence package
apt install iptables-persistent  # Debian/Ubuntu

# Or for RHEL/CentOS:
yum install iptables-services
systemctl enable iptables
systemctl start iptables

If rules don't persist after reboot:

  1. Check if iptables services are enabled
  2. Verify the correct save/restore mechanism for your distro
  3. Ensure no other network scripts are overwriting rules

When working with multiple network interfaces (e.g., eth0 and eth1) on a Linux system, you might need to restrict outgoing traffic from one NIC while allowing the other to function normally. This is common in scenarios like network isolation, security hardening, or traffic routing control.

To block all outgoing traffic (TCP/UDP/ICMP) from a specific NIC (e.g., eth1), use the following iptables rules:

# Block ALL outgoing traffic from eth1
iptables -A OUTPUT -o eth1 -j DROP

# Optional: Block incoming traffic to eth1 as well (for complete isolation)
iptables -A INPUT -i eth1 -j DROP
  • -A OUTPUT: Appends a rule to the OUTPUT chain
  • -o eth1: Matches packets leaving via interface eth1
  • -j DROP: Drops matching packets completely

These rules will be lost after reboot. To make them permanent:

# For Debian/Ubuntu:
iptables-save > /etc/iptables.rules
echo "pre-up iptables-restore < /etc/iptables.rules" >> /etc/network/interfaces

# For RHEL/CentOS:
service iptables save

Check if your rules are active:

iptables -L OUTPUT -v -n

You should see a line like:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           output eth1

If using newer Linux distributions with nftables:

nft add rule ip filter OUTPUT oifname "eth1" drop