iprange -dst-range on vpn
 

hello
i don't understand the difference between option -d and iprange
example:

this works
-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT

this doesn't work
-A OUTPUT -p udp -m udp -m iprange --dst-range 37.120.217.84-37.120.217.170 --dport 1194 -j ACCEPT

my iptables:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o proton0 -j ACCEPT

-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 5060 -j ACCEPT
-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 9050 -j ACCEPT
-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 4569 -j ACCEPT

# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

I don't know exactly what you mean when you say that the second rule doesn't work (I see that the IPs are different, but I'm guessing you understand that), but the difference is that with with iprange you can give it an arbitrary ip range, regardless of subnetting. So you don't need to specify a network mask, like you do with -d. (with -d not specifying a network mask means only the ip itself, of course).

hi
i wonna set a vpn, as you see. but i'd like to put only the server range:
example:

####server UK
-A OUTPUT -p udp -m udp -m iprange --dst-range 103.107.197.35-103.107.197.127 --dport 1194 -j ACCEPT
i can't get connection with this rule.

only this i can get connection:
##server UK
-A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT

sure, i have to learn more about iptbles
thanks

So you're setting up these rules on the client side, if I understand correctly?

If yes, then the iprange rule is correct in and of itself. But that's not a perfect overlap. /24 means .1-.254, whereas your iprange rule is restricted to .35-.127. So if your vpn server does not belong to that range, of course it won't work.

Other than that there's no difference between -d and iprange.

hi
yes, it's a client and yes: the range belongs to the server. i wish to narrow it down.
I need to study more
thanks

You can create a log rule to port 1194 and see what ip destination it tries.
And then have a look at /var/log/syslog if you use debian/ubuntu.
If you use centos/alma/rocky/rhel, then add the uncommented line in /etc/rsyslog.conf and check /var/log/kern.