Iptables setting multiple multiports in one rule

Question

The multiport extension has a limit (15) for the ports that can be specified.

But I need to specify much more port numbers in a single rule, so I tried to use several multiport in one rule like:

iptables -A INPUT -p tcp -m multiport --destination-ports 59100 -m multiport --destination-ports 3000 -m state --state NEW -j REJECT --reject-with tcp-reset 

The result of iptables -L INPUT -n is

Chain INPUT (policy ACCEPT) target     prot opt source               destination          REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 59100 multiport dports 3000 state NEW reject-with tcp-reset 

But it turns out that both of the ports are not rejected when I try to connect from a client.

The version is v1.4.2-rc1.

Is there a workaround, or what should I do when I need to specify more than 15 ports in one rule.

Answer 1

As a workaround to this limitation, I use two rules to cover all the cases.

For example, if I want to allow or deny these 18 ports:

465,110,995,587,143,11025,20,21,22,26,80,443,3000,10000,7080,8080,3000,5666 

I use the below rules:

iptables -A INPUT -p tcp -i eth0 -m multiport --dports 465,110,995,587,143,11025,20,21,22,26,80,443 -j ACCEPT  iptables -A INPUT -p tcp -i eth0 -m multiport --dports 3000,10000,7080,8080,3000,5666 -j ACCEPT 

The above rules should work for your scenario also. You can create another rule if you hit 15 ports limit on both first and second rule.

Answer 2

You need to use multiple rules to implement OR-like semantics, since matches are always AND-ed together within a rule. Alternatively, you can do matching against port-indexing ipsets (ipset create blah bitmap:port).