Someone recently asked me a question:
How can I save time and script size by specifying a range of IP addresses or ports using iptables?
In old version of iptables IP address ranges are only valid in the nat table (see below for example). However newer version does support option that allows you to specify a range of IP addresses or ports for regular tables such as input.
Iptables set range of IP addresses
You need to use following options with match extensions (-m Ext).
iprange : This matches on a given arbitrary range of IPv4 addresses.
- [!]--src-range ip-ip: Match source IP in the specified range.
- [!]--dst-range ip-ip: Match destination IP in the specified range.
Syntax:
-m iprange --src-range IP-IP -j ACTION
-m iprange --dst-range IP-IP -j ACTION
For example, allow incoming request on a port 22 for source IP in the 192.168.1.100-192.168.1.200 range only. You need to add something as follows to your iptables script:
iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
Port range
if --protocol tcp (-p tcp) is specified, you can specify source port range with following syntax:
- --source-port port:port
- --sport port:port
And destination port range specification with following option :
- --destination-port port:port
- --dport port:port
For example block lock all incoming ssh access at port 22, for source port range 513:65535:
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP
On the other hand, just allow incoming ssh request with following port range:
iptables -A INPUT -p tcp -s 0/0 -d 195.55.55.78 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 195.55.55.78 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
NAT table - range option
If you are using NAT table use options --to-source and --to-destination. For example IP address range:
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200
ALTERNATIVELY, try range of ports:
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100:2000-3000
Read man page of iptables for more information.
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 6 comments… read them below or add one }
Not that much elaborate. can explain deep about SNAT and DNAT
was useful for basic information i was searching for
this was exactly what i was looking for! thx a lot!
For beginners this site is very use full.Through this site i had learn more things…
thanks for nixcraft
Hey! Thx for your tip’s!
Can anyone help on IPTables
I have this rule on my Linux(radhat) IPTables
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT –reject-with tcp-reset
but its not seems to restect per source IP address can you please update this rule for Per source IP