how to define a specific range of IPs and/or multiple IPs in an iptables rule?...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how to define a specific range of IPs and/or multiple IPs in an iptables rule?...
hi all,
how can I define a customized range of IPs (a segment from 192.168.0.0/24) or multiple IPs in a single iptables rule?...
...if possible at all...
like for example if you want to define source ports form 10 to 25 you type "--sport 10:25" or if you want to use multiple ports you type "-m multiport --sport 3,6,7,32"
...and you don't need to type one and the same rule for each port...
I need to do the same thing for IPs...
using the netmask does not work for me, since the ranges I need to define are custom...
if anyone can help me do this in iptables rule or using external script that will export the IPs - the beer is on me... :-)
piece of cake! But i actually think he meant a more strict range like from 192.168.0.5 to 192.168.1.10.
In this case there's a netfilter patch available... i don't think it passed stable yet, so probably you'll need patch'o'matic: www.netfilter.org
You could also try this (wasn't aware of the patch before I started it)
Code:
#!/bin/bash
range1="192.168.55.1:192.168.55.15"
function load_ranges()
{
if [ $range1 != "" ]; then
first_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f1)
second_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f2)
third_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f3)
low_range_num=$(echo "$range1" | cut -d : -f1 | cut -d . -f4)
high_range_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f4)
counter=1
# The until loop stops once the top of the range is hit,
# Note that it stops one ip address before the end of the
# range. I'm not sure how to test for greater than
until [[ $low_range_num = $high_range_num ]];do
current_ip="$first_num.$second_num.$third_num.$low_range_num"
#you can add your rules here, and use $current_ip for the
#range.
#iptables -A FORWARD -i eth1 -d $current_ip -j DROP
#iptables -A INPUT -d $current_ip -j DROP
#echo $current_ip
let low_range_num=$low_range_num+1
let counter=$counter+1
if [ $counter = "255" ];then
break
fi
done
fi
}
load_ranges
You could make it more useful for multiple ranges by taking an argument to it.
load_ranges "$range1"
or
load_ranges "$range2"
That would allow you to replace all times $range1 is used in the function with
$*. Then you could use it for multiple rangers, however you'd bestill be restricted
to one generic ruleset.
Code:
if [ $* != "" ]; then
first_num=$(echo "$*" | cut -d : -f2 | cut -d . -f1)
Also be careful with modifying this, any small errors could cause up to
255 output messages
10x for that too... :-)
it may get in use in future times since now I have a very complicated firewall and with slight exclusions almost every machine or custom range have it's own rules, access and restrictions...
another question...
how about having multiple IPs but not a range?...
...like for example 192.168.0.15, 192.168.0.31 and 192.168.0.134...
currently in such cases I just have a rule for each machine, but it's slower to maintain when some change in the rule is needed - I have to change it for all the machines...
if I was able to define multiple machines in one rule, when a change is needed I'll have to change only one rule... :-)
I was told something for multiple usage of "-s" or "-d" in the rule, like:
I tried the multiple -s and -d flags and it gave me a message saying it
wasn't allowed. The way I currently load specific ips or ports is by
having a seperate file, and reading the entries out of there with awk.
Here is a quick example.
Code:
# Drops packets from specific IP's, and rejects outgoing
# communication to them
function black_list()
{
awk '!/c/{print $3}' $FIREFILE | \
while read i;do
$IPT -A BLACKHOLE -d $i -j REJECT \
--reject-with tcp-reset
$IPT -A BLACKHOLE -s $i -j DROP
done
}
This would read everything from the third column of $FIREFILE (just a variable for
the path to the file), and then put it into the variable $i. I put the !/c/ in the awk to stop
it from reading rows that contain the letter c in it. Here's an example file
Code:
a=tcp b=udp c=spy d=lanallow
80 b IP_ADD IP_ADD
20 68 IP_ADD d
21 67 c d
110 b c d
25 b IP_ADD d
a b c d
a b c d
a b c d
I know this isn't a very efficient way to do things, but it's what I came up with when I started
my firewall script, just started learning a few months ago. If anyone else has any other ideas or if there's an easier way I'd love to learn about it.
Sorry about the way firefile looks, it should be straight columns...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.