How to deny traffic safely

Topic: Networking basics

Deny specific traffic (by port, source, or protocol) without breaking admin access or established connections. Add deny rules after allow rules for required traffic; use default-deny for inbound when possible. Use this when you need to block a port or a hostile source while keeping the host manageable.

Intent: How-to

Quick answer

  • Allow required traffic first (SSH, established/related); then add deny rules for the port or source you want to block. Rule order matters: first match wins; put deny after allow for required ports so you do not lock yourself out.
  • Deny a port: ufw deny 23/tcp or nft add rule inet filter input tcp dport 23 drop. Deny a source: ufw deny from 1.2.3.4 or match on saddr in nft/iptables. Use drop (silent) or reject (sends RST) depending on policy.
  • Default deny: set default policy to drop on INPUT so any traffic not explicitly allowed is dropped; then you only add allow rules. Test in a second session before closing the first.

Prerequisites

Steps

  1. Keep required traffic allowed

    Ensure allow rules for SSH (or admin port) and established/related are in place and evaluated before any deny or default drop. Do not add a deny that matches your admin port or source.

  2. Add a deny rule

    UFW: ufw deny 23/tcp (block telnet); ufw deny from 1.2.3.4. nftables: nft add rule inet filter input tcp dport 23 drop; or nft add rule inet filter input ip saddr 1.2.3.4 drop. Place after allow rules.

  3. Choose drop vs reject

    Drop: packet is discarded; sender sees timeout. Reject: sender gets RST or ICMP unreachable. Drop is often preferred so scanners see no response; use reject if you want faster failure for clients.

  4. Use default deny for inbound

    Set INPUT default policy to drop (or deny); then the only inbound traffic allowed is what you explicitly allow. Add allow for SSH and any services; everything else is denied. Test from a second session.

Summary

Deny traffic by adding rules that drop or reject specific ports or sources, after allow rules for required traffic. Prefer a default-deny policy for inbound so only explicitly allowed traffic is accepted. Use this to block unwanted ports or hosts without losing admin access.

Prerequisites

Steps

Step 1: Keep required traffic allowed

Allow SSH (or your admin port) and established/related before any deny or default drop. Avoid deny rules that match your admin port or your management IP.

Step 2: Add a deny rule

  • UFW: ufw deny 23/tcp or ufw deny from 1.2.3.4
  • nftables: nft add rule inet filter input tcp dport 23 drop or match on ip saddr 1.2.3.4 drop

Add these after your allow rules so required traffic is still permitted.

Step 3: Choose drop vs reject

  • drop: Packet is discarded; the sender sees a timeout. Often used to hide services.
  • reject: Sender gets RST (TCP) or ICMP unreachable. Use when you want clients to fail fast.

Step 4: Use default deny for inbound

Set the INPUT chain default policy to drop. Then only traffic matched by an allow rule is accepted. Add allow for SSH and needed services; test from a second session before closing the first.

Verification

  • Denied port or source cannot connect; SSH and allowed services still work; default policy is drop and only intended traffic is allowed.

Troubleshooting

Blocked yourself — Deny rule or default policy matched your admin traffic; use console to add allow for SSH and reload, or temporarily disable the firewall and fix rule order.

Need to allow one IP but deny rest — Add allow from that IP first, then deny the rest (or use default deny and only allow that IP for the port).

Next steps

Continue to