Linux Iptables: How to specify a range of IP addresses or ports

by on September 18, 2006 · 9 comments· LAST UPDATED September 26, 2007

in , ,

Someone recently asked me a question:

How can I save time and script size by specifying a range of IP addresses or ports using iptables?

In old version of iptables IP address ranges are only valid in the nat table (see below for example). However newer version does support option that allows you to specify a range of IP addresses or ports for regular tables such as input.

Iptables set range of IP addresses

You need to use following options with match extensions (-m Ext).

iprange : This matches on a given arbitrary range of IPv4 addresses.

  • [!]--src-range ip-ip: Match source IP in the specified range.
  • [!]--dst-range ip-ip: Match destination IP in the specified range.

Syntax:

-m iprange --src-range IP-IP -j ACTION
-m iprange --dst-range IP-IP -j ACTION

For example, allow incoming request on a port 22 for source IP in the 192.168.1.100-192.168.1.200 range only. You need to add something as follows to your iptables script:

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT  

Port range

if --protocol tcp (-p tcp) is specified, you can specify source port range with following syntax:

  • --source-port port:port
  • --sport port:port

And destination port range specification with following option :

  • --destination-port port:port
  • --dport port:port

For example block lock all incoming ssh access at port 22, for source port range 513:65535:

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

On the other hand, just allow incoming ssh request with following port range:

iptables -A INPUT -p tcp -s 0/0 -d 195.55.55.78 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 195.55.55.78 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

NAT table - range option

If you are using NAT table use options --to-source and --to-destination. For example IP address range:

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200

ALTERNATIVELY, try range of ports:

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100:2000-3000

Read man page of iptables for more information.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 9 comments… read them below or add one }

1 Sathish Kumar May 11, 2007 at 8:07 am

Not that much elaborate. can explain deep about SNAT and DNAT

Reply

2 abhinav narain May 5, 2009 at 3:47 am

was useful for basic information i was searching for

Reply

3 Malte September 14, 2009 at 11:40 am

this was exactly what i was looking for! thx a lot!

Reply

4 karthikeyan April 2, 2010 at 6:03 pm

For beginners this site is very use full.Through this site i had learn more things…
thanks for nixcraft

Reply

5 bourvill February 6, 2012 at 9:17 pm

Hey! Thx for your tip’s!

Reply

6 manjeet September 6, 2012 at 12:14 pm

Can anyone help on IPTables

I have this rule on my Linux(radhat) IPTables
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT –reject-with tcp-reset

but its not seems to restect per source IP address can you please update this rule for Per source IP

Reply

7 amir September 2, 2013 at 1:20 pm

nope.

iptables-restore v1.4.4: unknown option `–src-range’

Reply

8 Alex June 26, 2014 at 7:15 pm

Thank you very much! This is exactly what I need!

Reply

9 Anthony November 4, 2014 at 11:31 pm

Do you really need “–src-range ip-ip” anymore? If you just specify it like this: 192.168.1.0/24, this would do the whole /24 range of IPs correct or is that just in CentOS?

Reply

Leave a Comment

Tagged as: , , , ,

Previous post:

Next post: