-   Linux - Security (
-   -   how to define a specific range of IPs and/or multiple IPs in an iptables rule?... (

TheHellsMaster 09-14-2004 07:53 AM

how to define a specific range of IPs and/or multiple IPs in an iptables rule?...
hi all,

how can I define a customized range of IPs (a segment from or multiple IPs in a single iptables rule?...
...if possible at all...

like for example if you want to define source ports form 10 to 25 you type "--sport 10:25" or if you want to use multiple ports you type "-m multiport --sport 3,6,7,32"
...and you don't need to type one and the same rule for each port...

I need to do the same thing for IPs...
using the netmask does not work for me, since the ranges I need to define are custom...

if anyone can help me do this in iptables rule or using external script that will export the IPs - the beer is on me... :-)

10x in advance...

stickman 09-14-2004 04:27 PM

It's as simple as:

TheIrish 09-14-2004 05:53 PM


It's as simple as:
piece of cake! But i actually think he meant a more strict range like from to
In this case there's a netfilter patch available... i don't think it passed stable yet, so probably you'll need patch'o'matic:

scottman 09-14-2004 07:01 PM

You could also try this (wasn't aware of the patch before I started it)




function load_ranges()
        if [ $range1 != "" ]; then
                first_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f1)
                second_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f2)
                third_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f3)
                low_range_num=$(echo "$range1" | cut -d : -f1 | cut -d . -f4)
                high_range_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f4)

                # The until loop stops once the top of the range is hit,
                # Note that it stops one ip address before the end of the
                # range.  I'm not sure how to test for greater than

                until [[ $low_range_num = $high_range_num ]];do
                        #you can add your rules here, and use $current_ip for the

                        #iptables -A FORWARD -i eth1 -d $current_ip -j DROP

                        #iptables -A INPUT -d $current_ip -j DROP
#echo $current_ip

                        let low_range_num=$low_range_num+1

                        let counter=$counter+1
                        if [ $counter = "255" ];then


TheIrish 09-14-2004 07:59 PM

phew! pure rock'n'roll

TheHellsMaster 09-15-2004 11:09 AM

ah, yeah!... :-)
10x for that script - that's about what I ment and it works for me...

as I said - the beer is on me... :-)

scottman 09-15-2004 03:38 PM

No prob, I could use a cold one.

You could make it more useful for multiple ranges by taking an argument to it.

load_ranges "$range1"
load_ranges "$range2"

That would allow you to replace all times $range1 is used in the function with
$*. Then you could use it for multiple rangers, however you'd bestill be restricted
to one generic ruleset.

        if [ $* != "" ]; then
                first_num=$(echo "$*" | cut -d : -f2 | cut -d . -f1)

Also be careful with modifying this, any small errors could cause up to
255 output messages :)

TheHellsMaster 09-16-2004 04:04 AM

yep... :-)
10x for that too... :-)
it may get in use in future times since now I have a very complicated firewall and with slight exclusions almost every machine or custom range have it's own rules, access and restrictions...

another question...
how about having multiple IPs but not a range?... for example, and

currently in such cases I just have a rule for each machine, but it's slower to maintain when some change in the rule is needed - I have to change it for all the machines...
if I was able to define multiple machines in one rule, when a change is needed I'll have to change only one rule... :-)

I was told something for multiple usage of "-s" or "-d" in the rule, like:

iptables -A INPUT -s -s -s -j ACCEPT

...but I haven't been able to test it yet, so I don't know if it actually works and if there's some impact on the performace of the firewall...

any ideas will be appreciated... :-)

scottman 09-16-2004 12:48 PM

I tried the multiple -s and -d flags and it gave me a message saying it
wasn't allowed. The way I currently load specific ips or ports is by
having a seperate file, and reading the entries out of there with awk.
Here is a quick example.


# Drops packets from specific IP's, and rejects outgoing
# communication to them
function black_list()
      awk '!/c/{print $3}' $FIREFILE | \
      while read i;do
            $IPT -A BLACKHOLE -d $i -j REJECT \
                    --reject-with tcp-reset
            $IPT -A BLACKHOLE -s $i -j DROP

This would read everything from the third column of $FIREFILE (just a variable for
the path to the file), and then put it into the variable $i. I put the !/c/ in the awk to stop
it from reading rows that contain the letter c in it. Here's an example file


a=tcp  b=udp  c=spy        d=lanallow
80        b        IP_ADD    IP_ADD
20        68        IP_ADD        d
21        67        c                d
110  b        c                d
25        b        IP_ADD          d
a        b        c                d
a        b        c                d
a        b        c                  d

I know this isn't a very efficient way to do things, but it's what I came up with when I started
my firewall script, just started learning a few months ago. If anyone else has any other ideas or if there's an easier way I'd love to learn about it.

Sorry about the way firefile looks, it should be straight columns...

TheHellsMaster 09-20-2004 11:06 AM

I'll see if this will work for me...
10x for the help anyway... :-)

All times are GMT -5. The time now is 05:37 PM.