How to Check if an IP Address is Blocked on Linux

When troubleshooting network connectivity issues or managing server security, you may need to verify whether a specific IP address is being blocked by your Linux server. This guide covers the most common methods to check for IP blocks across different firewall and security tools.

Checking iptables Rules

If your server uses iptables as its firewall, you can search for the IP address in the firewall rules:

# Search all chains for a specific IP
sudo iptables -L -n -v | grep 203.0.113.50

# Check the INPUT chain specifically
sudo iptables -L INPUT -n -v | grep 203.0.113.50

# List all rules in a more parseable format
sudo iptables -S | grep 203.0.113.50

The -n flag shows numeric addresses without DNS resolution, -v provides verbose output with packet counts, and -S displays rules in a format similar to how they were added.

Checking nftables Rules

For systems using nftables (the successor to iptables):

# List entire ruleset and search for IP
sudo nft list ruleset | grep 203.0.113.50

Checking firewalld

If you're using firewalld (common on RHEL/CentOS/Fedora):

# Check all firewall rules
sudo firewall-cmd --list-all | grep 203.0.113.50

# Check rich rules specifically
sudo firewall-cmd --list-rich-rules | grep 203.0.113.50

# Check direct rules
sudo firewall-cmd --direct --get-all-rules | grep 203.0.113.50

Checking Fail2Ban

Fail2Ban automatically blocks IPs after repeated failed login attempts. To check if an IP is banned:

# See all active jails
sudo fail2ban-client status

# Check a specific jail (e.g., sshd)
sudo fail2ban-client status sshd

# Search for a specific IP in a jail
sudo fail2ban-client status sshd | grep 203.0.113.50

# Get all banned IPs (Fail2Ban 0.11+)
sudo fail2ban-client banned

To unban an IP from Fail2Ban:

sudo fail2ban-client set sshd unbanip 203.0.113.50

Checking TCP Wrappers

Older systems may use TCP Wrappers for access control:

# Check hosts.deny
grep 203.0.113.50 /etc/hosts.deny

# Check hosts.allow
grep 203.0.113.50 /etc/hosts.allow

Checking CSF (ConfigServer Security & Firewall)

If you're running CSF:

# Check if an IP is blocked
sudo csf -g 203.0.113.50

# Search the deny list
grep 203.0.113.50 /etc/csf/csf.deny

# Search temporary blocks
grep 203.0.113.50 /var/lib/csf/csf.tempban

Testing Connectivity

To verify whether an IP can actually connect to your server, test from the client side:

# Test a specific port with netcat
nc -zv yourserver.com 22

# Test with telnet
telnet yourserver.com 22

# Test HTTP/HTTPS
curl -v http://yourserver.com

If the connection times out or is refused immediately, the IP may be blocked.

Checking System Logs

Don't forget to check your system logs for blocking events:

# Check firewall logs (location varies by distribution)
sudo grep "203.0.113.50" /var/log/syslog
sudo grep "203.0.113.50" /var/log/messages

# Check kernel logs for dropped packets
sudo dmesg | grep "203.0.113.50"

# For systemd-based systems
sudo journalctl | grep "203.0.113.50"

Quick Reference Table

Tool	Check Command
iptables	sudo iptables -L -n -v \| grep <IP>
nftables	sudo nft list ruleset \| grep <IP>
firewalld	sudo firewall-cmd --list-all \| grep <IP>
Fail2Ban	sudo fail2ban-client status <jail>
TCP Wrappers	grep <IP> /etc/hosts.deny
CSF	sudo csf -g <IP>

Conclusion

The method you use depends on your server's security configuration. Most modern Linux distributions use either iptables/nftables or firewalld as their primary firewall, often combined with Fail2Ban for intrusion prevention. Start by identifying which firewall system your server uses, then apply the appropriate commands from this guide.