Set iptables to allow only specified ip addresses on a specific port

baris35 · January 21, 2023, 8:33pm

Good evening all,
I am running ubuntu20.04 and aimed to allow only specific ip addresses on a specified port.
Single ip definition works as expected but can't set it up for multiple ip addresses.

iptables -I INPUT \! --src 149.202.11.22,94.20.30.40 -m tcp -p tcp --dport 29999 -j DROP

It says:

iptables v1.8.4 (legacy): ! not allowed with multiple source or destination IP addresses. Try `iptables -h' or 'iptables --help' for more information.

I'd appreciate your help
Thank you
Boris

drysdalk · January 21, 2023, 8:37pm

Hi,

I think the best solution here is just to flip the logic around, so that you have one rule listing the IPs from which the connection to TCP port 29999 should be accepted, and then after that rule another rule in the chain to drop all other traffic to that same port. So you'd end up with the same result, just using two rules: one to allow both your IPs, and one to block all others.

baris35 · January 21, 2023, 8:38pm

Hello @drysdalk ,
Got the point.
Let me work on it.

Thanks
Boris

baris35 · January 21, 2023, 8:59pm

Thank you @drysdalk ,
As you emphasized below, the order of chain rules is pretty important.
ACCEPT rules come before DROP..

iptables -A INPUT -p tcp -s all_ip_addresses,comma_seperated_here -j ACCEPT
iptables -A OUTPUT -p tcp -s all_ip_addresses,comma_seperated_here -j ACCEPT
iptables -A INPUT -p tcp --dport 29999 -j DROP
iptables -A OUTPUT -p tcp --dport 29999 -j DROP
iptables -A INPUT -p udp --dport 29999 -j DROP
iptables -A OUTPUT -p udp --dport 29999 -j DROP

Now it's accessible from only specified ip addresses.

Thank you & kind regards
Boris

drysdalk · January 21, 2023, 9:33pm

Hello,

Great, glad to hear that helped. One thing to remember about iptables chains is that they are processed in order, with processing terminating on the first matching rule in the chain. So you'll want all your ACCEPT rules for this TCP port to come before your DROP rule, otherwise you'll end up dropping all traffic and accepting none, since the DROP rule will match all packets, and any further packet filtering for that port will then stop there.

chatgpt · January 23, 2023, 9:25am

You can use the -m iprange module to specify a range of IP addresses. The syntax for this module is -m iprange --src-range IP-IP. For example, to block incoming traffic from IP addresses 149.202.11.22 to 149.202.11.24 on port 29999, you can use the following command:

iptables -I INPUT -m iprange --src-range 149.202.11.22-149.202.11.24 -m tcp -p tcp --dport 29999 -j DROP

You can also use the -m iprange module to specify multiple ranges of IP addresses. For example, to block incoming traffic from IP addresses 149.202.11.22 to 149.202.11.24 and 94.20.30.40 to 94.20.30.44 on port 29999, you can use the following command:

iptables -I INPUT -m iprange --src-range 149.202.11.22-149.202.11.24,94.20.30.40-94.20.30.44 -m tcp -p tcp --dport 29999 -j DROP

Note that in order to specify multiple IP or IP ranges, they have to be separated by comma.

system · February 2, 2023, 9:25am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.