Home / server / Questions / 248384
Accepted
corsiKa
Asked: 2011-03-17 17:43:44 +0800 CST

Allow iptables to allow ip range only on specifc port

  • 772

In this question I see a line like this that will allow me to say "allow these ip addresses to connect"

iptables -A INPUT -m iprange --src-range 10.50.10.20-80 -j ACCEPT

Now, I want to further secure this so that this rule only applies to specific ports. I've been using a command like this for my regular ports:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Can I combine these two to make a specific port allowed only for a range, like this

iptables -A INPUT -m iprange --src-range 10.50.10.20-80 --dport 12345 -j ACCEPT

Obviously I'm hesitant to just make iptables calls willy-nilly. :) Thanks!

port iptables

3 Answers

  1. Best Answer

    The last line you have in there should work, you just need to make sure you have a -p protocol in there, as --dport doesn't work as a option on its own.

    iptables -A INPUT -m iprange --src-range 10.50.10.20-80 -p tcp --dport 12345 -j ACCEPT
    • 4

  2. Alternatively, install ipset and you will be able to change the list of IP addresses without messing your iptables rules:

    ipset -N AllowedSources ipmap --network 10.50.10.0/24
for i in $LIST_OF_ALLOWED_SOURCES; do ipset -A AllowedSources $i; done
iptables -A INPUT -m set --match-set AllowedSources src -p tcp --dport 12345 -j ACCEPT

    Now, if you need to add another allowed source:

    ipset -A AllowedSources a.b.c.d

    Or, you need to 'drop' a host from the allowed sources:

    ipset -D AllowedSources e.f.g.h

    You can save your sets:

    ipset --save > /etc/ipset.conf

    Which you can restore during boot, before you implement your iptables (or else, iptables will complain!):

    ipset --restore < /etc/ipset.conf

    You can even create an IP set that will match against source IP and destination port, e.g.:

    ipset -N AllowedAccess ipporthash --network 10.50.0.0/16
# These hosts may access port 12345
for i in $LIST_OF_ALLOWED_TO_12345; do ipset -A AllowedAccess $i,12345; done
# These hosts may access port 23456
for i in $LIST_OF_ALLOWED_TO_23456; do ipset -A AllowedAccess $i,23456; done
# These hosts may access port 34567
for i in $LIST_OF_ALLOWED_TO_34567; do ipset -A AllowedAccess $i,34567; done
# Now that the IP set has been created, we can use it in iptables
iptables -A INPUT -m set --match-set AllowedAccess src,dst -j ACCEPT
# Note that we use "src,dst", meaning that we want to match source IP, but
# destination port
# Also note, if you need to match against a single port, the ipmap method
# will be slightly faster.

    More on ipset: http://ipset.netfilter.org/

    If you are using Ubuntu, you can't install the ipset package from its repo. Use my tip: http://pepoluan.posterous.com/powertip-howto-install-ipset-on-ubuntu

    • 2

  3. You've got the basic idea right, you can combine them into one rule like that.

    However, despite what some answers say, you shouldn't use a range like 10.50.10.20-80 (it will expand to 10.50.10.20-80.0.0.0 - use the iptables command to check). You need to use the full IP address in the range e.g. 10.50.10.20-10.50.10.80.

    Also, if you specify a port number, you need to state a protocol that supports ports, so the revised rule would be:

    iptables -A INPUT -p tcp -m iprange --src-range 10.50.10.20-10.50.10.80 --dport 12345 -j ACCEPT

    Documentaion on iprange: https://www.frozentux.net/iptables-tutorial/chunkyhtml/x2702.html#TABLE.IPRANGEMATCH

    • 1