36

Here is my iptables, how can I make it so that I can allow a range of ip's on ETH1 (10.51.x.x)

# Generated by iptables-save v1.4.4 on Thu Jul  8 13:00:14 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j ACCEPT 
-A fail2ban-ssh -j RETURN 
COMMIT
Kladskull
  • 1,265
  • 5
  • 15
  • 32

4 Answers4

54

If you only want to allow a certain range of IP addresses inside of 10.50.0.0 (such as from 10.50.10.20 through 10.50.10.80) you can use the following command:

iptables -A INPUT -i eth1 -m iprange --src-range 10.50.10.20-10.50.10.80 -j ACCEPT

If you want to allow the entire range you can use this instead:

iptables -A INPUT -i eth1 -s 10.50.0.0/16 -j ACCEPT

See iptables man page and this question here on ServerFault: Whitelist allowed IPs (in/out) using iptables

Community
  • 1
runlevelsix
  • 2,609
  • 21
  • 19
  • Where do I put this line? – Kladskull Jul 17 '10 at 19:39
  • Those are the commands that you would run from the command line: [root@host ~]# iptables -A INPUT -i eth1 -s 10.50.0.0/16 -j ACCEPT – runlevelsix Jul 17 '10 at 21:39
  • 1
    Use "10.50.10.20-10.50.10.80", ["-80" might not do what you want](http://blog.capitar.com/iptables-ip-range-reversed/). – basic6 May 24 '15 at 11:16
  • @runlevelsix If I wanted to allow for an ip range like 10.0.0.0 thru 10.255.255.255, would I use 10.0.0.0/24 ? – RoboBear Sep 30 '18 at 01:02
  • @MikeCurry this is specifying what to run on the command -line/from your terminal. Alternatively, you can add this rule to an iptables rules file in /etc/iptables/rulesets.d (if you're using Debian Linux) by removing the "iptables " and following space from the line: -A INPUT -i eth1 -m iprange --src-range 10.50.10.20-10.50.10.80 -j ACCEPT. – RoboBear Sep 30 '18 at 01:05
  • @RoboBear that particular IP range is 10.0.0.0/8 – runlevelsix Sep 30 '18 at 02:43
  • Is it possible to define a discontinued range? – stackprotector Mar 14 '22 at 07:56
4

For a specific port, say 22:

iptables -A INPUT -p tcp  -m iprange --src-range  10.50.10.20-10.50.10.80  --dport 22  -j ACCEPT
mehov
  • 568
  • 1
  • 5
  • 14
Swapnil jaiswal
  • 111
  • 5
1

Well you did saw what you want to allow those IPs for but 10.51.x.x in CIDR translates to 10.50.0.0/16. So it will be something like the line for the loopback interface that has 127.0.0.0/8.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
1
iptables -A INPUT -i eth1 -m iprange --src-range 10.50.10.20-80 -j ACCEPT

May give the following error:

iptables: Applying firewall rules: xt_iprange: range 10.50.10.20-80 is reversed and will never match

To correct this just put the full ip instead like this:

iptables -A INPUT -i eth1 -m iprange --src-range 10.50.10.20-10.50.10.80 -j ACCEPT

Ref.:http://blog.capitar.com/iptables-ip-range-reversed/

Franck
  • 11
  • 1