17

I have a number of iptables rules on my firewall that look like this:

iptables -A zone_lan_forward -p tcp -d 1.2.3.0/24 -j ACCEPT
iptables -A zone_lan_forward -p udp -d 1.2.3.0/24 -j ACCEPT

Is there a shortcut for having two rules - one for tcp and one for udp - for every address? I mean can I do something like this:

iptables -A zone_lan_forward -p tcp,udp -d 1.2.3.0/24 -j ACCEPT
Big McLargeHuge
  • 373
  • 3
  • 4
  • 14

2 Answers2

25

Create a new chain which will accept any TCP and UDP packets, and jump to that chain from the individual IP/port permissive rules:

iptables -N ACCEPT_TCP_UDP
iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT

iptables -A zone_lan_forward -d 1.2.3.0/24 -j ACCEPT_TCP_UDP

This adds the overhead of a few extra lines, but halves the number of TCP / UDP rules.

I would not omit the -p argument, because you're not only opening up the firewall for ICMP, but also any other protocol. From the iptables man page on -p:

The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed.

You may not be listening on any protocols except for TCP, UDP, and ICMP right now, but who knows what the future may hold. It would be bad practice to leave the firewall open unnecessarily.

Disclaimer: The iptables commands are off the top of my head; I don't have access to a box on which to test them ATM.

s.co.tt
  • 662
  • 7
  • 15
  • This is a very elegant solution that doesn't leave the firewall open unnecessarily. – Big McLargeHuge May 17 '13 at 22:16
  • 4
    But this method of creating new chain will failed if the filtering is done through destination port number. Can anyone suggest how to overcome from above mentioned problem? – Amor Oct 09 '14 at 09:22
  • @Amor In this example if you used `-p all` in all `--dport` rules on the `zone_lan_forward` chain, that might achieve what you're looking. I am of course assuming there is no other way to get onto that chain with a non-TCP/UDP protocol due to the `ACCEPT_TCP_UDP` chain. Obviously this is a risky strategy if multiple people have access to modify rules and someone comes along and edits your rules without understanding this subtlety. – Samuel Harmer Nov 24 '16 at 09:26
  • Ooops. Didn't notice the order of chains. You would need to switch the order of the chains in this example too for what I just said to work properly. So `ACCEPT_TCP_UDP` jumps to `zone_lan_forward` which then jumps to `ACCEPT`. – Samuel Harmer Nov 24 '16 at 09:29
3

If you don't really care about ICMP traffic (which you can block globally with a rule anyway), you can just omit the -p flag and it'll cover all the protocols.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • Should I care about ICMP traffic? I am mostly concerned with HTTP access. – Big McLargeHuge May 17 '13 at 16:09
  • Not really. You can block ICMP (ping) if you want to but since it's serving HTTP traffic anyway there's not much point. – Nathan C May 17 '13 at 16:11
  • @NathanC, I think the advice to open up ALL ports when the OP is asking how to halve his rules may lead to trouble, now or in the future. – Jed Daniels May 17 '13 at 17:53
  • @JedDaniels the -p switch specifies the protocols and not ports. The answer below has an alternative if they care to lock down anything other than tcp & udp. – Nathan C May 17 '13 at 17:59
  • @NathanC Yes, and removing the -p means "open up all protocols, not just tcp or udp", which is reckless if not dangerous. – Jed Daniels May 17 '13 at 18:12
  • @davidkennedy85 If you really only care about HTTP, just drop the UDP rule and you've halved the rules. HTTP doesn't use UDP at all. (But make sure you actually know what is going on in your network before making changes you don't understand.) Also, you may wish to restrict it down to a small number of ports (the standard defaults for HTTP and HTTPS are 80 and 443 respectively), but again, that depends on what you are really trying to accomplish here. Overall, I'd recommend s.co.tt's answer as a better one. – Jed Daniels May 17 '13 at 18:16
  • @JedDaniels I'm trying to open up the firewall for Steam which downloads games over UDP. I guess that means Steam doesn't use HTTP. It certainly doesn't use my proxy, which is a source of frustration. But the main concern is still HTTP. – Big McLargeHuge May 17 '13 at 22:18