iptables: using the same address lists against multiple ports

I am using iptables to allow access to a certain port from a list of
permitted IP addresses using a shell script as follows:

#!/bin/sh

ALLOWED="12.0.0.0/8
27.3.0.0/16

<snip - Squillions of addresses snipped from this list>

10.0.0.0/8
"

for addr in $ALLOWED
do
iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
done

iptables -A INPUT -p tcp --dport 7500 -jDROP

Supposing I want to use the same rules against another port number, for
example, port 23000.

I could repeat the loop against port 23000, but wouldn't that double the
storage space for the tables, because I have two copies of the same
address list for two different port numbers?

Is there a way to setup a single table in memory, and then map the port
numbers against it?

I want to do something like:

FILTEREDPORTS="7500
23000
"
for port in $FILTEREDPORTS
do
# filtered port against permitted address list
done

How can I do this?

Mark.

--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/

Mark Hobley <(E-Mail Removed)> wrote:
> I am using iptables to allow access to a certain port from a list of
> permitted IP addresses using a shell script as follows:
>
> #!/bin/sh
>
> ALLOWED="12.0.0.0/8
> 27.3.0.0/16
>
> <snip - Squillions of addresses snipped from this list>
>
> 10.0.0.0/8
> "
>
> for addr in $ALLOWED
> do
> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
> done
>
> iptables -A INPUT -p tcp --dport 7500 -jDROP
>
> Supposing I want to use the same rules against another port number, for
> example, port 23000.
>
> I could repeat the loop against port 23000, but wouldn't that double the
> storage space for the tables, because I have two copies of the same
> address list for two different port numbers?
>
> Is there a way to setup a single table in memory, and then map the port
> numbers against it?
>
> I want to do something like:
>
> FILTEREDPORTS="7500
> 23000
> "
> for port in $FILTEREDPORTS
> do
> # filtered port against permitted address list
> done
>
> How can I do this?
>
> Mark.
>
One of the iptables modules allows filtering on multiple ports.
It's under Netfilter Xtables support and is called "multiport"
multiple port match support.

Jerry

Jerry Peters <(E-Mail Removed)> wrote:

> One of the iptables modules allows filtering on multiple ports.
> It's under Netfilter Xtables support and is called "multiport"
> multiple port match support.

Hmmm. ok. I just had a quick look at that.

How do I deploy this from my script?

The iptables documentation is awful, and I am really struggling to
decipher
it.

I may eventually use the same address list against a completely
different set of rules. I was wondering if I could somehow create some
sort of custom table or chain of permitted IP addresses and then use input
rules to jump to my table.

for example:

if port=7500 then jump to my_chain
if port=20000 then jump to my_chain
allow # port is not filtered

then rules for custom_table simply match against source ip address and
allow traffic for listed ip addresses, otherwise deny. (There would be
no port matching in custom_chain, and custom_chain is only effective if
explicitly called.

I guess this would look something like:

Chain INPUT (policy ACCEPT)
my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000

Chain my_chain (policy DENY)
ACCEPT tcp -- 12.0.0.0/8 0.0.0.0/0 tcp
ACCEPT tcp -- 27.3.0.0/16 0.0.0.0/0 tcp

Can I do something like this?

Mark.

--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/

On Mon, 3 Nov 2008 01:50:31 +0000, (E-Mail Removed) (Mark Hobley) wrote:

>Jerry Peters <(E-Mail Removed)> wrote:
>
>> One of the iptables modules allows filtering on multiple ports.
>> It's under Netfilter Xtables support and is called "multiport"
>> multiple port match support.
>
>Hmmm. ok. I just had a quick look at that.
>
>How do I deploy this from my script?
>
>The iptables documentation is awful, and I am really struggling to
>decipher
>it.
>
>I may eventually use the same address list against a completely
>different set of rules. I was wondering if I could somehow create some
>sort of custom table or chain of permitted IP addresses and then use input
>rules to jump to my table.
>
>for example:
>
> if port=7500 then jump to my_chain
> if port=20000 then jump to my_chain
> allow # port is not filtered
>
>then rules for custom_table simply match against source ip address and
>allow traffic for listed ip addresses, otherwise deny. (There would be
>no port matching in custom_chain, and custom_chain is only effective if
>explicitly called.
>
>I guess this would look something like:
>
>Chain INPUT (policy ACCEPT)
>my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
>my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
>
>Chain my_chain (policy DENY)
>ACCEPT tcp -- 12.0.0.0/8 0.0.0.0/0 tcp
>ACCEPT tcp -- 27.3.0.0/16 0.0.0.0/0 tcp
>
>Can I do something like this?

Sort of, but your syntax is way off the track, policy is only for builtin
chains, and you're writing nothing that looks like the examples from
'man iptables'. A gotcha, if you're using a recent kernel, make sure the
iptrables is recent too, otherwise the thing will disagree with kernel and
may give misleading error messages (not that it doesn't already issue poorly
worded errors).

INPUT chain should be default DROP, then allow what traffic you need,
start with the basic firewall (read netfilter.org starter) then poke holes
on the INPUT side for services offered.

Grant.
--
http://bugsplatter.id.au

Grant <g_r_a_n_t_@bugsplatter.id.au> wrote:

> INPUT chain should be default DROP, then allow what traffic you need

I can't do that at this time. It will drop all of my LAN and Internet
server and client side traffic. This machine is externally firewalled.
The reason for the filter on the specific input ports is due to a
limitation with the external hardware firewall device which is not able
to limit traffic on particular input ports to a list of known IP
addresses.

This is what I have come up with:

#!/bin/sh

FILTERED="
7500
23000
"

ALLOWED="
12.0.0.0/8
27.3.0.0/16
10.0.0.0/24

iptables -N MYTABLE

for addr in $ALLOWED
do
iptables -A MYTABLE -s $addr -p tcp -jACCEPT
done

iptables -A MYTABLE -p tcp -jDROP

for fport in $FILTERED
do
iptables -A INPUT -p tcp --dport $fport -jMYTABLE
done


--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/

Hello,

Mark Hobley a écrit :
> Jerry Peters <(E-Mail Removed)> wrote:
>
>> One of the iptables modules allows filtering on multiple ports.
>> It's under Netfilter Xtables support and is called "multiport"
>> multiple port match support.
>
> Hmmm. ok. I just had a quick look at that.
>
> How do I deploy this from my script?

FILTEREDPORTS="7500,23000"

iptables [...] -m multiport --dports $FILTEREDPORTS -j [...]

IIRC, the limit is 16 ports.

On Monday 3 November 2008 02:50, Mark Hobley wrote:

> Jerry Peters <(E-Mail Removed)> wrote:
>
>> One of the iptables modules allows filtering on multiple ports.
>> It's under Netfilter Xtables support and is called "multiport"
>> multiple port match support.
>
> Hmmm. ok. I just had a quick look at that.
>
> How do I deploy this from my script?
>
> The iptables documentation is awful, and I am really struggling to
> decipher it.

Uh?

multiport
This module matches a set of source or destination ports. Up to 15
ports can be specified. A port range (portort) counts as two ports. It
can only be used in conjunction with -p tcp or -p udp.

--source-ports [!] port[,port[,portort...]]
Match if the source port is one of the given ports. The
flag --sports is a convenient alias for this option.

--destination-ports [!] port[,port[,portort...]]
Match if the destination port is one of the given ports. The
flag --dports is a convenient alias for this option.

--ports [!] port[,port[,portort...]]
Match if either the source or destination ports are equal to
one of the given ports.


Could it be clearer than that?

On Mon, 3 Nov 2008 09:38:16 +0000, (E-Mail Removed) (Mark Hobley) wrote:

>Grant <g_r_a_n_t_@bugsplatter.id.au> wrote:
>
>> INPUT chain should be default DROP, then allow what traffic you need
>
>I can't do that at this time. It will drop all of my LAN and Internet
>server and client side traffic. This machine is externally firewalled.
>The reason for the filter on the specific input ports is due to a
>limitation with the external hardware firewall device which is not able
>to limit traffic on particular input ports to a list of known IP
>addresses.
>
>This is what I have come up with:
>
>#!/bin/sh
>
>FILTERED="
>7500
>23000
>"
>
>ALLOWED="
>12.0.0.0/8
>27.3.0.0/16
>10.0.0.0/24
>
>iptables -N MYTABLE
>
>for addr in $ALLOWED
>do
> iptables -A MYTABLE -s $addr -p tcp -jACCEPT
>done
>
>iptables -A MYTABLE -p tcp -jDROP
>
>for fport in $FILTERED
>do
> iptables -A INPUT -p tcp --dport $fport -jMYTABLE
>done

How about:

addrs="12.0.0.0/8
27.3.0.0/16
10.0.0.0/24
"
ports="7500,23000"

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

for addr in $addrs
do
iptables -A INPUT -p tcp -s $addr -m state --state NEW \
-m multiport --dports $ports -j ACCEPT
done


This multiport technique only good for 15 ports (range pair takes two)
per command.

Grant.
--
http://bugsplatter.id.au

pk a écrit :
>
> multiport
> This module matches a set of source or destination ports. Up to 15
> ports can be specified. A port range (portort) counts as two ports. It
> can only be used in conjunction with -p tcp or -p udp.
>
> --source-ports [!] port[,port[,portort...]]
> Match if the source port is one of the given ports. The
> flag --sports is a convenient alias for this option.
>
> --destination-ports [!] port[,port[,portort...]]
> Match if the destination port is one of the given ports. The
> flag --dports is a convenient alias for this option.
>
> --ports [!] port[,port[,portort...]]
> Match if either the source or destination ports are equal to
> one of the given ports.
>
> Could it be clearer than that?

Yes, quite.
It could state that :

* -p SCTP and -p DCCP are also supported since kernel 2.6.18 (and
iptables 1.3.6).

* Port range and inversion support requires a kernel 2.6.11 at least
(and iptables 1.3.0).

* The multiple match can only have one option among --dports, --sports
and --ports. Several options cannot be used simultaneously in the same
match. Using two or more of them in the same rule requires multiple
multiport matches (multiple matches of the same type within a single
rule are supported since iptables 1.3.6).

On Tuesday 4 November 2008 11:32, Pascal Hambourg wrote:

>> Could it be clearer than that?
>
> Yes, quite.
> It could state that :
>
> * -p SCTP and -p DCCP are also supported since kernel 2.6.18 (and
> iptables 1.3.6).
>
> * Port range and inversion support requires a kernel 2.6.11 at least
> (and iptables 1.3.0).
>
> * The multiple match can only have one option among --dports, --sports
> and --ports. Several options cannot be used simultaneously in the same
> match. Using two or more of them in the same rule requires multiple
> multiport matches (multiple matches of the same type within a single
> rule are supported since iptables 1.3.6).

Fair enough. However, the syntax to use is indicated very clearly.