Hi guys.

I've consulted the iptables documentation, but the question is still actual. I wonder if the firewall has some parameter, which can handle multiple IP-addresses in the rule.

To make the problem more clear, I can show an example from OpenBSD's firewall - pf (from the oficial FAQ). OpenBSD's pf has a tool called 'tables' - it can store many addresses in one table:
Now let's go back to iptables.
Say, I'd like to restrict access to my webserver from 1.1.1.1, 2.2.2.2 and 3.3.3.3.

Do I have any opportunity to do it with one line ?

^^ this doesn't look nice :-) But as far as i remember, there is not any option which could be useful to me (something like -m multiport --dport port1, port2, port3 but according to IP-addresses).

So, if there is, let me know please.

Regards, Lexus45

Make DEFAULT rule DROP, allow only what you need.

Nimnull already gave the best solution in this particular situation but what you're asking for as far as I know, except for specifying networks there is no good way to do. You can of course use netmask and cidr notation.

Uh, okay, but it's a firewall script – not ASCII artwork.

Seriously, though, are you really wanting to do this for purely cosmetic reasons?

Always good advice. Of course, he might already be doing that (which would make these akin to exceptions).

Of course, I do it :-)
(Even more, iptables - was the first thing I started learning about Linux. But it was some years ago...) :-)

Besides, the idea could be used not only with -j DROP in INPUT chain of the 'filter' table, but also in SNAT or REDIRECT or something else.
That's why I wonder...

Sure, I know about netmasks :-) Nevertheless, thanks for advice ;-D
There may be situations when the addresses belong to different subnets (as in my example).
That's why I wonder.


I think it's much of pure interest...
I don't have really serious problems because of the absence of such a feature in iptables.

But I think it could be rather nice to have one.


So, as I was sure and as I also see from our discussion, iptables seems not to have such a feature.

I think what you are wanting to do is provided by an iptables friend called 'ipset'. I used to have it here for awhile, but at each new kernel updated they (kernel devs) seemed to break something and I got sick and tired of patching it and my patch-o-matic iptables extensions all the time to keep it working when I didn't use it that much. So I let it go. Maybe it's still around and buildable, depending on what kernel version you have going. I see the -m match for it is still in the iptables man page:

but I can't say if it fully works now or will meet your needs. The URL for it escapes me ATM, but it's on the Netfilter ftp server (where the iptables source is). Maybe ftp://ftp.netfilter.org/ ?

jayjwa, an interesting note, thanks.
So I think, it's better not to change anything because my problem is not serious. :-)

Not, as far as I know, a firewall parameter...

I'm with win32sux on this; if there was ever an area in function has to take priority over pretty looking code, this (security, generally) is it.

Having said that, it seems that modules like blockhosts, fail2ban, denyhosts, sshban could do what you say that you want. These are things that are aimed at working with dynamic ip lists, but there doesn't seem to be a reason that they cannot be used with a short, static, list of bad guys. It would be more of an issue if there were hundreds of them, rather than three...

But you have to question whether this is a worthwhile objective - there is a little messy complexity, and you have succeeded in putting it somewhere other than in the basic iptables set of rules, which does keep iptables looking clean. But does it make things any more secure?

The difficulty with any of these measures is that if they don't work quickly, they can increase your susceptibility to DoS and more specifically DDoS attacks.

So would you want to clean up your iptables rules, at the expense of increasing you susceptibility to a particular type of attack (if that is what it would do)? Well, I don't think, put like that, it would be a worthwhile objective.