Loading ...Linux Iptables: How to specify a range of IP addresses or ports
Someone recently asked me a question:
How can I save time and script size by specifying a range of IP addresses or ports using iptables?
In old version of iptables IP address ranges are only valid in the nat table (see below for example). However newer version does support option that allows you to specify a range of IP addresses or ports for regular tables such as input.
Iptables set range of IP addresses
You need to use following options with match extensions (-m Ext).
iprange : This matches on a given arbitrary range of IPv4 addresses.
- [!]--src-range ip-ip: Match source IP in the specified range.
- [!]--dst-range ip-ip: Match destination IP in the specified range.
Syntax:
-m iprange --src-range IP-IP -j ACTION
-m iprange --dst-range IP-IP -j ACTION
For example, allow incoming request on a port 22 for source IP in the 192.168.1.100-192.168.1.200 range only. You need to add something as follows to your iptables script:
iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
Port range
if --protocol tcp (-p tcp) is specified, you can specify source port range with following syntax:
- --source-port port:port
- --sport port:port
And destination port range specification with following option :
- --destination-port port:port
- --dport port:port
For example block lock all incoming ssh access at port 22, for source port range 513:65535:
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP
On the other hand, just allow incoming ssh request with following port range:
iptables -A INPUT -p tcp -s 0/0 -d 195.55.55.78 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 195.55.55.78 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
NAT table - range option
If you are using NAT table use options --to-source and --to-destination. For example IP address range:
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200
ALTERNATIVELY, try range of ports:
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100:2000-3000
Read man page of iptables for more information.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Best Linux / UNIX Posts of 2007: Part ~ III
- Force apache webserver to listen on all addresses except one ip address
- Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks
- New Web based frontend for OpenBSD ports
- Linux Iptables open Bittorrent tcp ports 6881 to 6889
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: iprange, iptables_command, iptables_script, ip_address_ranges, nat
Not that much elaborate. can explain deep about SNAT and DNAT