Using Address Ranges and Port Ranges with Iptables

Iptables is the name of the firewall built into the Linux kernel. It is also the tool used for firewall configuration. This post explains how to use iptables with a range of IP addresses and/or ports. It could be used, for example, to allow SSH traffic from a number of systems. Or to open up a range of ports with a single firewall rule.

Note: This article is not about blacklisting. If you are looking to set up a blacklist, perhaps to protect your server from a number of unrelated IP addresses, my related procedure on how to protect your webserver with IPset might be more appropriate.

The Linux firewall (part of the Netfilter project) is important on Internet facing systems, “edge” servers and “jump” boxes. Particularly when they do not sit behind another protective network element such as a load balancer or discrete firewall. For example, standaline cloud instances that are not part of a protected VPC infrastructure.

The follwing examples all apply to the OUTPUT table, but the range syntax is the same whatever table is being configured (INPUT, OUTPUT etc.).

Example 1. Specifying a Single Target Server and Port (no ranges)
Allow outbound access to a single target server (192.168.0.23) on port 22. The local system is then allowed to SSH to the remote server:

# iptables -A OUTPUT -p tcp --dport 22 --dst 192.168.0.23 -m state --state NEW -j ACCEPT

Example 2. Using an IP Address Range
Allow outbound SSH again. This time the single remote server is replaced with a range of 31 IP addresses, using the iprange module.

# iptables -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.0.23-192.168.0.63 -m state --state NEW -j ACCEPT

Example 3. Using a Subnet.
If the goal is to block or allow a whole subnet, you can just use a network spec with the –dst flag, rather than specifying a range.

# iptables -A OUTPUT -p tcp --dport 22 --dst 192.168.1.0/24 -m state --state NEW -j ACCEPT

Example 4. Specifying a Port Range.
Instead of allowing just one port (the SSH port, 22), the next example includes a port range. Port 22 will not be opened by this rule, but 50 other ports will be, using the multiport module. The “–dport 22” spec is removed, as our port range replaces the single port. The destination is again a single server, as in Example 1 (“–dst 192.168.0.23”).

# iptables -A OUTPUT -p tcp -m multiport --dports 4000:4049 --dst 192.168.0.23 -m state --state NEW -j ACCEPT

Example 5. Combinations of Port and IP Ranges

Use the iprange and multiport modules together:

# iptables -A OUTPUT -p tcp -m multiport --dports 60000:61000 -m iprange --dst-range 192.168.1.23-192.168.1.63 -m state --state NEW -j ACCEPT

Note

The examples above refer to the OUTPUT table, because outbound connections are being controlled. Blocking inbound traffic is more common, but controlling outbound access is also important. For example, you might allow users into your server from the Internet, but also stop them from making unrestrained onward connections. If the server were compromised, it would then be more difficult for intruders to use the system as a basis for DDOS attacks or coordinated bot activity).

One thought on “Using Address Ranges and Port Ranges with Iptables

  1. Pingback: Protect Your Web Server With Ipset | Unix etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.