Insert the rule early in the chain. To determine where, I use this command: iptables -L INPUT -v -n --line-numbers You should put the new rule before rule 1, I think, so it takes effect before even the ESTABLISHED rule from the connection tracker. Use this: iptables -I INPUT 1 -s 59.64.128.0/19 -p TCP -j DROP If you think you'll build up a list of attackers, you can use an ipset, instead. I use firewalld for my own firewalls, which has integral support for saving and restoring ipsets. You can use a firewalld "direct" rule to insert an ipset-based ban before other rules in the INPUT chain.