Iptables: Invert IP, Protocol, Or Interface Test With !

How do I invert a protocol or ip address test while writing iptables based shell scripts?

The iptables command comes with ! operator. The most of these rules can be preceded by a ! to invert the sense of the match. A match can be:

  1. Source or dest ip address
  2. Interface name
  3. Protocol name etc


The following will match all protocol except UDP:

iptables -A INPUT -p ! UDP

The following match allows IP address range matching and it can be inverted using the ! sign:

iptables -A INPUT -d -j DROP
iptables -A OUTPUT -d ! -J ACCEPT
# we trust so skip it
iptables -A OUTPUT -s ! -J DROP

The exclamation mark inverts the match so this will result is a match if the IP is anything except one in the given range

iptables -A INPUT -s ! -p tcp --dport 80 -J DROP

You can skip your own ip from string test:

iptables -A FORWARD -i eth0 -p tcp ! -s --sport 80 -m string --string '|7F|ELF' -j DROP

Accept port 22 traffic on all interfaces except for eth1 which is connected to the Internet:

iptables -A INPUT -i !eth1 -p tcp --dport 22  -j ACCEPT

Recommended readings:

man iptables

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.