itables How to use or specify multiple IP addresses in iptables source or destination on Linux

How to add multiple sources in a single iptables command

The syntax is:
iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -s ip1,ip2,ip3 -j DROP
iptables -I INPUT -s ip1,ip2,ip3 -d ip2 -j DROP

To accept 92.168.1.5 and 192.168.2.6, run:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -j ACCEPT
Another example:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 443 -j ACCEPT
In this example DROP packets for port 80 for two ip address:
iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 80 -j DROP
In this example forward traffic to internal hosts for two source ip address:
source="139.59.1.155,23.239.7.187"
dest="104.20.187.5"
port=443
redirect="10.105.28.43:443"
iptables -A PREROUTING -s ${source} -d ${dest} -p tcp --dport ${port} -j DNAT --to-destination ${redirect}

It is possible to drop given IP address using a new chain as follows:
#!/bin/bash
_input="/root/block.ip.address.list.txt"
IPT=/sbin/iptables
$IPT -N droplist
egrep -v "^#|^$" x | while IFS= read -r ip
do
 $IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix " myBad IP BlockList  "
 $IPT -A droplist -i eth1 -s $ip -j DROP
done < "$_input"
# Drop it 
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist

How to add multiple destination in a single iptables command

The syntax is:
iptables -A INPUT -d ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -d ip1,ip2,ip3 -j DROP
iptables -I INPUT -d ip1,ip2,ip3 -s ip2 -j DROP

Some examples:
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -j ACCEPT
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d 192.168.1.5,192.168.1.6 -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

To view added rule run:
iptables -t filter -L INPUT -n -v
Sample outputs:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5632 6156K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    80 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  553  128K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  551  128K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.5          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.6          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.5          tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.6          tcp dpt:22
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.5         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.6         
    0     0 ACCEPT     tcp  --  *      *       192.168.1.5          192.168.1.254        tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       192.168.2.6          192.168.1.254        tcp dpt:443

A note about user defined chain

It is possible to create a new user-defined chain as follows:
iptables -N ALLOWED
iptables -A ALLOWED -d 127.0.0.0/8 -j RETURN
iptables -A ALLOWED -d 192.168.1.0/24 -j RETURN
iptables -A ALLOWED -d 205.54.1.5 -j RETURN
iptables -A INPUT -j ALLOWED

See iptables man page for more info:
$ man iptables

Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all