How to use or specify multiple IP addresses in iptables source or destination on Linux

Author: Vivek Gite Last updated: June 29, 2017 3 comments
I need to specific multiple IP address in iptables using Linux script. How do I create a rule that uses multiple source or destination IP addresses ?

You can set multiple source (-s or --source or destination (-d or --destination) IP ranges using the following easy to use syntax.

This tutorial shows you how to use multiple IP address in source or destination with IPtables on Linux.

How to add multiple sources in a single iptables command

The syntax is:
iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -s ip1,ip2,ip3 -j DROP
iptables -I INPUT -s ip1,ip2,ip3 -d ip2 -j DROP
To accept 92.168.1.5 and 192.168.2.6, run:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -j ACCEPT
Another example:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 443 -j ACCEPT
In this example DROP packets for port 80 for two ip address:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 80 -j DROP
In this example forward traffic to internal hosts for two source ip address:
source="139.59.1.155,23.239.7.187"
dest="104.20.187.5"
port=443
redirect="10.105.28.43:443"
iptables -A PREROUTING -s ${source} -d ${dest} -p tcp --dport ${port} -j DNAT --to-destination ${redirect}
It is possible to drop given IP address using a new chain as follows:

#!/bin/bash
_input="/root/block.ip.address.list.txt"
IPT=/sbin/iptables
$IPT -N droplist
egrep -v "^#|^$" x | while IFS= read -r ip
do
	$IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix " myBad IP BlockList  "
	$IPT -A droplist -i eth1 -s $ip -j DROP
done < "$_input"
# Drop it 
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist

How to add multiple destination in a single iptables command

The syntax is:
iptables -A INPUT -d ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -d ip1,ip2,ip3 -j DROP
iptables -I INPUT -d ip1,ip2,ip3 -s ip2 -j DROP
Some examples:
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -j ACCEPT
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
To view added rule run:
iptables -t filter -L INPUT -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5632 6156K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    80 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  551  128K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.5          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.6          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.5          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.6          tcp dpt:22
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.5         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.6         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.5          192.168.1.254        tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       192.168.2.6          192.168.1.254        tcp dpt:443

A note about user defined chain

It is possible to create a new user-defined chain as follows:
iptables -N ALLOWED
iptables -A ALLOWED -d 127.0.0.0/8 -j RETURN
iptables -A ALLOWED -d 192.168.1.0/24 -j RETURN
iptables -A ALLOWED -d 205.54.1.5 -j RETURN
iptables -A INPUT -j ALLOWED
See iptables man page for more info:
$ man iptables


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

Related Tutorials
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Frank Jun 29, 2017 @ 15:12

    man: ipset
    man: iptables-extension , search for ‘set’

    Also, sets can be given names so you also would benefit from knowing what a list of addresses is suposed to be.

    Reply Link
  • Anastasis Jun 29, 2017 @ 19:42

    I would definitely prefer ipsets for managing groups of IPs

    Reply Link
  • Jouni "rautamiekka" Jrvinen Jun 30, 2017 @ 11:02

    Speaking of ipset, I recall reading they’re faster than iptables.

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz

Next FAQ:

Previous FAQ:

FEATURED ARTICLES

Sign up for my newsletter