Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Iptables setting multiple multiports in one rule

Tags:

The multiport extension has a limit (15) for the ports that can be specified.

But I need to specify much more port numbers in a single rule, so I tried to use several multiport in one rule like:

iptables -A INPUT -p tcp -m multiport --destination-ports 59100 -m multiport --destination-ports 3000 -m state --state NEW -j REJECT --reject-with tcp-reset

The result of iptables -L INPUT -n is

Chain INPUT (policy ACCEPT) target     prot opt source               destination          REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 59100 multiport dports 3000 state NEW reject-with tcp-reset

But it turns out that both of the ports are not rejected when I try to connect from a client.

The version is v1.4.2-rc1.

Is there a workaround, or what should I do when I need to specify more than 15 ports in one rule.

like image 669
ning Avatar asked Jun 17 '11 11:06

ning

People also ask

Does the order of rules matter in iptables?

In ipchains, the order of the rule options does not matter. The iptables command has a stricter syntax. The iptables command requires that the protocol (ICMP, TCP, or UDP) be specified before the source or destination ports.

Do iptables rules take effect immediately?

iptables rules take effect immediately. Because your script is Appending (-A) to the INPUT and OUTPUT chains, your rules are being added to the end of those chains. If you have other terminating rules that precede these rules, then they will take effect (and later rules will not).

2 Answers

As a workaround to this limitation, I use two rules to cover all the cases.

For example, if I want to allow or deny these 18 ports:

465,110,995,587,143,11025,20,21,22,26,80,443,3000,10000,7080,8080,3000,5666

I use the below rules:

iptables -A INPUT -p tcp -i eth0 -m multiport --dports 465,110,995,587,143,11025,20,21,22,26,80,443 -j ACCEPT  iptables -A INPUT -p tcp -i eth0 -m multiport --dports 3000,10000,7080,8080,3000,5666 -j ACCEPT

The above rules should work for your scenario also. You can create another rule if you hit 15 ports limit on both first and second rule.

like image 166
vinod garag Avatar answered Sep 28 '22 05:09

vinod garag

You need to use multiple rules to implement OR-like semantics, since matches are always AND-ed together within a rule. Alternatively, you can do matching against port-indexing ipsets (ipset create blah bitmap:port).

like image 32
jørgensen Avatar answered Sep 28 '22 05:09

jørgensen
Sign in to Comment

Related questions

What is the convention for ordering the controller actions in Rails?
error: `itoa` was not declared in this scope
Enums: methods exclusive to each one of the instances
Fitting distributions, goodness of fit, p-value. Is it possible to do this with Scipy (Python)?
How to set the IP address from C in linux
using JDBC preparedStatement in a batch
C# List<> Add() method performance
How do I add an image to a tweet or how does twitter decide which image urls to render
Stubbing a Property get using Rhino Mocks
"Program is not a recognized executable" error in Eclipse
How do you compile macros in a Lisp compiler?
Programmatically Add Image to TableView Cell

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!