Good evening all,
I am running ubuntu20.04 and aimed to allow only specific ip addresses on a specified port.
Single ip definition works as expected but can't set it up for multiple ip addresses.
iptables -I INPUT \! --src 149.202.11.22,94.20.30.40 -m tcp -p tcp --dport 29999 -j DROP
It says:
iptables v1.8.4 (legacy): ! not allowed with multiple source or destination IP addresses. Try `iptables -h' or 'iptables --help' for more information.
I'd appreciate your help
Thank you
Boris
Hi,
I think the best solution here is just to flip the logic around, so that you have one rule listing the IPs from which the connection to TCP port 29999 should be accepted, and then after that rule another rule in the chain to drop all other traffic to that same port. So you'd end up with the same result, just using two rules: one to allow both your IPs, and one to block all others.
Hello @drysdalk ,
Got the point.
Let me work on it.
Thanks
Boris
Thank you @drysdalk ,
As you emphasized below, the order of chain rules is pretty important.
ACCEPT rules come before DROP..
iptables -A INPUT -p tcp -s all_ip_addresses,comma_seperated_here -j ACCEPT
iptables -A OUTPUT -p tcp -s all_ip_addresses,comma_seperated_here -j ACCEPT
iptables -A INPUT -p tcp --dport 29999 -j DROP
iptables -A OUTPUT -p tcp --dport 29999 -j DROP
iptables -A INPUT -p udp --dport 29999 -j DROP
iptables -A OUTPUT -p udp --dport 29999 -j DROP
Now it's accessible from only specified ip addresses.
Thank you & kind regards
Boris
Hello,
Great, glad to hear that helped. One thing to remember about iptables chains is that they are processed in order, with processing terminating on the first matching rule in the chain. So you'll want all your ACCEPT rules for this TCP port to come before your DROP rule, otherwise you'll end up dropping all traffic and accepting none, since the DROP rule will match all packets, and any further packet filtering for that port will then stop there.
You can use the -m iprange module to specify a range of IP addresses. The syntax for this module is -m iprange --src-range IP-IP. For example, to block incoming traffic from IP addresses 149.202.11.22 to 149.202.11.24 on port 29999, you can use the following command:
iptables -I INPUT -m iprange --src-range 149.202.11.22-149.202.11.24 -m tcp -p tcp --dport 29999 -j DROP
You can also use the -m iprange module to specify multiple ranges of IP addresses. For example, to block incoming traffic from IP addresses 149.202.11.22 to 149.202.11.24 and 94.20.30.40 to 94.20.30.44 on port 29999, you can use the following command:
iptables -I INPUT -m iprange --src-range 149.202.11.22-149.202.11.24,94.20.30.40-94.20.30.44 -m tcp -p tcp --dport 29999 -j DROP
Note that in order to specify multiple IP or IP ranges, they have to be separated by comma.