Using Address Ranges and Port Ranges with Iptables

Iptables is the name of the firewall built into the Linux kernel. It is also the tool used for firewall configuration. This post explains how to use iptables with a range of IP addresses and/or ports. It could be used, for example, to allow SSH traffic from a number of systems. Or to open up a range of ports with a single firewall rule.

The Linux firewall (part of the Netfilter project) is important on Internet facing systems, “edge” servers and “jump” boxes. Particularly when they do not sit behind another protective network element such as a load balancer or discrete firewall. For example, standaline cloud instances that are not part of a protected VPC infrastructure.

The follwing examples all apply to the OUTPUT table, but the range syntax is the same whatever table is being configured (INPUT, OUTPUT etc.).

Example 1. Specifying a Single Target Server and Port (no ranges)
Allow outbound access to a single target server (192.168.0.23) on port 22. The local system is then allowed to SSH to the remote server:

# iptables -A OUTPUT -p tcp --dport 22 --dst 192.168.0.23 -m state --state NEW -j ACCEPT

 

Example 2. Using an IP Address Range
Allow outbound SSH again. This time the single remote server is replaced with a range of 31 IP addresses, using the iprange module.

# iptables -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.0.23-192.168.0.63 -m state --state NEW -j ACCEPT

 

Example 3. Using a Subnet.
If the goal is to block or allow a whole subnet, you can just use a network spec with the –dst flag, rather than specifying a range.

# iptables -A OUTPUT -p tcp --dport 22 --dst 192.168.1.0/24 -m state --state NEW -j ACCEPT

Note: If you want to block or allow a list of IP addresses, rather than a contiguous range, see my accompanying article on protecting your web server with ipset.
 

Example 4. Specifying a Port Range.
Instead of allowing just one port (the SSH port, 22), the next example includes a port range. Port 22 will not be opened by this rule, but 50 other ports will be, using the multiport module. The “–dport 22” spec is removed, as our port range replaces the single port. The destination is again a single server, as in Example 1 (“–dst 192.168.0.23”).

# iptables -A OUTPUT -p tcp -m multiport --dports 4000:4049 --dst 192.168.0.23 -m state --state NEW -j ACCEPT

 

Example 5. Combinations of Port and IP Ranges

Use the iprange and multiport modules together:

# iptables -A OUTPUT -p tcp -m multiport --dports 60000:61000 -m iprange --dst-range 192.168.1.23-192.168.1.63 -m state --state NEW -j ACCEPT

 

Note

The examples above refer to the OUTPUT table, because outbound connections are being crontrolled. Blocking inbound traffic is more common, but controlling outbound access is also important. For example, you might allow users into your server from the Internet, but also stop them from making unrestrained onward connections. If the server were compromised, it would then be more difficult for intruders to use the system as a basis for DDOS attacks or coordinated bot activity).

Leave a Reply

Your email address will not be published. Required fields are marked *