iptables: using the same address lists against multiple ports

Discussion in 'Linux Networking' started by Mark Hobley, Nov 2, 2008.

  1. Mark Hobley

    Mark Hobley Guest

    I am using iptables to allow access to a certain port from a list of
    permitted IP addresses using a shell script as follows:



    <snip - Squillions of addresses snipped from this list>

    for addr in $ALLOWED
    iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT

    iptables -A INPUT -p tcp --dport 7500 -jDROP

    Supposing I want to use the same rules against another port number, for
    example, port 23000.

    I could repeat the loop against port 23000, but wouldn't that double the
    storage space for the tables, because I have two copies of the same
    address list for two different port numbers?

    Is there a way to setup a single table in memory, and then map the port
    numbers against it?

    I want to do something like:

    for port in $FILTEREDPORTS
    # filtered port against permitted address list

    How can I do this?

    Mark Hobley, Nov 2, 2008
    1. Advertisements

  2. Mark Hobley

    Jerry Peters Guest

    One of the iptables modules allows filtering on multiple ports.
    It's under Netfilter Xtables support and is called "multiport"
    multiple port match support.

    Jerry Peters, Nov 2, 2008
    1. Advertisements

  3. Mark Hobley

    Mark Hobley Guest

    Hmmm. ok. I just had a quick look at that.

    How do I deploy this from my script?

    The iptables documentation is awful, and I am really struggling to

    I may eventually use the same address list against a completely
    different set of rules. I was wondering if I could somehow create some
    sort of custom table or chain of permitted IP addresses and then use input
    rules to jump to my table.

    for example:

    if port=7500 then jump to my_chain
    if port=20000 then jump to my_chain
    allow # port is not filtered

    then rules for custom_table simply match against source ip address and
    allow traffic for listed ip addresses, otherwise deny. (There would be
    no port matching in custom_chain, and custom_chain is only effective if
    explicitly called.

    I guess this would look something like:

    Chain INPUT (policy ACCEPT)
    my_chain tcp -- tcp dpt:7500
    my_chain tcp -- tcp dpt:20000

    Chain my_chain (policy DENY)
    ACCEPT tcp -- tcp
    ACCEPT tcp -- tcp

    Can I do something like this?

    Mark Hobley, Nov 3, 2008
  4. Mark Hobley

    Grant Guest

    Sort of, but your syntax is way off the track, policy is only for builtin
    chains, and you're writing nothing that looks like the examples from
    'man iptables'. A gotcha, if you're using a recent kernel, make sure the
    iptrables is recent too, otherwise the thing will disagree with kernel and
    may give misleading error messages (not that it doesn't already issue poorly
    worded errors).

    INPUT chain should be default DROP, then allow what traffic you need,
    start with the basic firewall (read netfilter.org starter) then poke holes
    on the INPUT side for services offered.

    Grant, Nov 3, 2008
  5. Mark Hobley

    Mark Hobley Guest

    I can't do that at this time. It will drop all of my LAN and Internet
    server and client side traffic. This machine is externally firewalled.
    The reason for the filter on the specific input ports is due to a
    limitation with the external hardware firewall device which is not able
    to limit traffic on particular input ports to a list of known IP

    This is what I have come up with:




    iptables -N MYTABLE

    for addr in $ALLOWED
    iptables -A MYTABLE -s $addr -p tcp -jACCEPT

    iptables -A MYTABLE -p tcp -jDROP

    for fport in $FILTERED
    iptables -A INPUT -p tcp --dport $fport -jMYTABLE
    Mark Hobley, Nov 3, 2008
  6. Hello,

    Mark Hobley a écrit :

    iptables [...] -m multiport --dports $FILTEREDPORTS -j [...]

    IIRC, the limit is 16 ports.
    Pascal Hambourg, Nov 3, 2008
  7. Mark Hobley

    pk Guest


    This module matches a set of source or destination ports. Up to 15
    ports can be specified. A port range (port:port) counts as two ports. It
    can only be used in conjunction with -p tcp or -p udp.

    --source-ports [!] port[,port[,port:port...]]
    Match if the source port is one of the given ports. The
    flag --sports is a convenient alias for this option.

    --destination-ports [!] port[,port[,port:port...]]
    Match if the destination port is one of the given ports. The
    flag --dports is a convenient alias for this option.

    --ports [!] port[,port[,port:port...]]
    Match if either the source or destination ports are equal to
    one of the given ports.

    Could it be clearer than that?
    pk, Nov 3, 2008
  8. Mark Hobley

    Grant Guest

    How about:


    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    for addr in $addrs
    iptables -A INPUT -p tcp -s $addr -m state --state NEW \
    -m multiport --dports $ports -j ACCEPT

    This multiport technique only good for 15 ports (range pair takes two)
    per command.

    Grant, Nov 3, 2008
  9. pk a écrit :
    Yes, quite.
    It could state that :

    * -p SCTP and -p DCCP are also supported since kernel 2.6.18 (and
    iptables 1.3.6).

    * Port range and inversion support requires a kernel 2.6.11 at least
    (and iptables 1.3.0).

    * The multiple match can only have one option among --dports, --sports
    and --ports. Several options cannot be used simultaneously in the same
    match. Using two or more of them in the same rule requires multiple
    multiport matches (multiple matches of the same type within a single
    rule are supported since iptables 1.3.6).
    Pascal Hambourg, Nov 4, 2008
  10. Mark Hobley

    pk Guest

    Fair enough. However, the syntax to use is indicated very clearly.
    pk, Nov 4, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.