4

In this question I see a line like this that will allow me to say "allow these ip addresses to connect"

iptables -A INPUT -m iprange --src-range 10.50.10.20-80 -j ACCEPT

Now, I want to further secure this so that this rule only applies to specific ports. I've been using a command like this for my regular ports:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Can I combine these two to make a specific port allowed only for a range, like this

iptables -A INPUT -m iprange --src-range 10.50.10.20-80 --dport 12345 -j ACCEPT

Obviously I'm hesitant to just make iptables calls willy-nilly. :) Thanks!

Community
  • 1
corsiKa
  • 363
  • 1
  • 6
  • 18

3 Answers3

4

The last line you have in there should work, you just need to make sure you have a -p protocol in there, as --dport doesn't work as a option on its own.

iptables -A INPUT -m iprange --src-range 10.50.10.20-80 -p tcp --dport 12345 -j ACCEPT
Pratik Amin
  • 3,293
  • 3
  • 20
  • 19
2

Alternatively, install ipset and you will be able to change the list of IP addresses without messing your iptables rules:

ipset -N AllowedSources ipmap --network 10.50.10.0/24
for i in $LIST_OF_ALLOWED_SOURCES; do ipset -A AllowedSources $i; done
iptables -A INPUT -m set --match-set AllowedSources src -p tcp --dport 12345 -j ACCEPT

Now, if you need to add another allowed source:

ipset -A AllowedSources a.b.c.d

Or, you need to 'drop' a host from the allowed sources:

ipset -D AllowedSources e.f.g.h

You can save your sets:

ipset --save > /etc/ipset.conf

Which you can restore during boot, before you implement your iptables (or else, iptables will complain!):

ipset --restore < /etc/ipset.conf

You can even create an IP set that will match against source IP and destination port, e.g.:

ipset -N AllowedAccess ipporthash --network 10.50.0.0/16
# These hosts may access port 12345
for i in $LIST_OF_ALLOWED_TO_12345; do ipset -A AllowedAccess $i,12345; done
# These hosts may access port 23456
for i in $LIST_OF_ALLOWED_TO_23456; do ipset -A AllowedAccess $i,23456; done
# These hosts may access port 34567
for i in $LIST_OF_ALLOWED_TO_34567; do ipset -A AllowedAccess $i,34567; done
# Now that the IP set has been created, we can use it in iptables
iptables -A INPUT -m set --match-set AllowedAccess src,dst -j ACCEPT
# Note that we use "src,dst", meaning that we want to match source IP, but
# destination port
# Also note, if you need to match against a single port, the ipmap method
# will be slightly faster.

More on ipset: http://ipset.netfilter.org/

If you are using Ubuntu, you can't install the ipset package from its repo. Use my tip: http://pepoluan.posterous.com/powertip-howto-install-ipset-on-ubuntu

pepoluan
  • 4,918
  • 3
  • 43
  • 71
1

You've got the basic idea right, you can combine them into one rule like that.

However, despite what some answers say, you shouldn't use a range like 10.50.10.20-80 (it will expand to 10.50.10.20-80.0.0.0 - use the iptables command to check). You need to use the full IP address in the range e.g. 10.50.10.20-10.50.10.80.

Also, if you specify a port number, you need to state a protocol that supports ports, so the revised rule would be:

iptables -A INPUT -p tcp -m iprange --src-range 10.50.10.20-10.50.10.80 --dport 12345 -j ACCEPT

Documentaion on iprange: https://www.frozentux.net/iptables-tutorial/chunkyhtml/x2702.html#TABLE.IPRANGEMATCH

Rythie
  • 13
  • 5