How to add multiple IPs in one iptables command line? sudo iptables -A INPUT -p tcp --dport 22 ! -s 1.2.3.4 -j DROP

Question

Update:

I have tried sudo iptables -A INPUT -p tcp --dport 22 ! -s 1.2.3.4,11.22.33.44 -j DROP, Not working and it gives me an error

iptables v1.8.2 (nf_tables): ! not allowed with multiple source or destination IP addresses

For example, My goal is Only allow allow only 1.2.3.4 and 11.22.33.44 to connect the ssh(port 22) of my server.

And I prefer this approach/command rather than others.

sudo iptables -A INPUT -p tcp --dport 22 ! -s 1.2.3.4 -j DROP

But I don't know how to add another Allowed IP 11.22.33.44 in this command,

Could you give me a little bit help or tips?

Thanks.

Does this answer your question? [iptables multiple source IPs in single rule](https://serverfault.com/questions/6989/iptables-multiple-source-ips-in-single-rule) — NiKiZe, Aug 29 '21 at 18:27
NB: A default-allow input firewall is generally not considered good practice. — Michael Hampton, Aug 29 '21 at 18:47

ThatGraemeGuy · Answer 1 · 2021-08-29T21:17:20.163

6

You can use an IP set.

Depending on your distro you may need to install the ipset utility first.

#(For Debian and Debian-derived distros)
sudo apt install ipset-persistent

Then you create a set with a friendly name.

sudo ipset create ssh_friends iphash

Once you have a set, you can add IPs to it.

sudo ipset add ssh_friends 1.2.3.4
sudo ipset add ssh_friends 11.22.33.44

Now you can use the set you created in an iptables rule instead of individual IPs.

sudo iptables -A INPUT -p tcp --destination-port 22 -m set ! --match-set ssh_friends src -j DROP

edited Aug 29 '21 at 21:17

answered Aug 29 '21 at 18:44

ThatGraemeGuy

15,314
12
51
78

I think he wants the match inverted, though. – Michael Hampton Aug 29 '21 at 19:02
Ah, I mixed it up.... and forgot to restrict the rule to a specific port...... fixed! – ThatGraemeGuy Aug 29 '21 at 20:38
1

The ipset created is stored in memory and will be gone after reboot. Probably it is worth to point to package [ipset-persistent](https://packages.debian.org/bullseye/ipset-persistent) as well for debian-like distributions. So instead `apt install ipset` probably better `apt install ipset-persistent`. – Lutz Willek Aug 29 '21 at 21:05
Thanks @LutzWillek, updated! – ThatGraemeGuy Aug 29 '21 at 21:17

Lutz Willek · Accepted Answer · 2021-08-29T19:51:58.193

Defining multiple addresses using only one iptables command using ! --source is not possible.

A Address can be either a network name, a hostname (probably a really bad idea to use hostnames), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number.

You could consider to change the default ruleset from allow to drop. This would allow you to define based on only what should be allowed, i.e. similar like this:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
... your other rules goes here ...
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 1.2.3.4,11.22.33.44 -j ACCEPT
iptables -P INPUT DROP

The benefit/beauty is that such a rule set would be much more performant, as the state of the packages is considered. Plus it allows the desired syntax. Plus is also the recommended way to define firewall rules.

However, please keep in mind that if using a syntax as shown above: -s 1.2.3.4,11.22.33.44 still creates 2 individual table entries, as you can see using the command iptables -L INPUT. In addition it does not work with all versions of iptables. In addition personally I find it hard to read or to maintain. That's the reason why I try to avoid it, in favour of using 2 separate commands.

In case your desire is to minimize the amount of rules, the closest you could do is to use one iptables rule using --match instead --source. However, you still have to define the match, using additional commands. How this works has been explained perfectly in the other comment which deals with ipset.

How to add multiple IPs in one iptables command line? sudo iptables -A INPUT -p tcp --dport 22 ! -s 1.2.3.4 -j DROP

2 Answers2