0

I am trying to configure ip6tables to only allow ssh connections to a specific range. In iptables the command would be:

iptables -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.178.0-192.168.178.254

But according to the man page the option -m iprange seems to be gone. What would be the correct command to achieve such behavior ? As always any help will be appreciated :)

phenom135
  • 107
  • 1
  • 4
  • 13
  • What is the range you are trying to limit to? Replace your prefix with 2001:db8 (example net) if you're concerned about revealing your actual addresses. – fukawi2 Nov 08 '13 at 07:59
  • You're not likely to need iprange, as you can just specify a netblock directly. – Michael Hampton Nov 08 '13 at 15:57

1 Answers1

1

I just checked the ip6tables man page on CentOS 6 and Debian 7 and they both include iprange:

iprange
   This matches on a given arbitrary range of IP addresses.

   [!] --src-range from[-to]
          Match source IP in the specified range.

   [!] --dst-range from[-to]
          Match destination IP in the specified range.

The man page for iptables-extensions on ArchLinux also indicates that iprange should exist.

A quick test on a CentOS 6 box shows that it does work:

www1 $ sudo ip6tables -A OUTPUT -p tcp --dport ssh -m iprange --dst-range 2001:db8::1-2001:db8::ff -j LOG
[sudo] password for fukawi2: 
www1  $ sudo ip6tables -nvL OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp      *      *       ::/0                 ::/0                tcp dpt:22 destination IP range 2001:db8::1-2001:db8::ff LOG flags 0 level 4

Have you looked at your actual man page instead of an online one?

fukawi2
  • 5,327
  • 3
  • 30
  • 51