How to use or specify multiple IP addresses in iptables source or destination on Linux

-s

--source

-d

--destination

ADVERTISEMENTS



How to add multiple sources in a single iptables command

I need to specific multiple IP address in iptables using Linux script. How do I create a rule that uses multiple source or destination IP addresses ?You can set multiple source (oror destination (or) IP ranges using the following easy to use syntax.This tutorial shows you how to use multiple IP address in source or destination with IPtables on Linux.

The syntax is:

iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT

iptables -A INPUT -s ip1,ip2,ip3 -j DROP

iptables -I INPUT -s ip1,ip2,ip3 -d ip2 -j DROP

To accept 92.168.1.5 and 192.168.2.6, run:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -j ACCEPT

Another example:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 443 -j ACCEPT

In this example DROP packets for port 80 for two ip address:

iptables -A INPUT -s 192.168.1.5,192.168.2.6 -d 192.168.1.254 -p tcp --dport 80 -j DROP

In this example forward traffic to internal hosts for two source ip address:

source="139.59.1.155,23.239.7.187"

dest="104.20.187.5"

port=443

redirect="10.105.28.43:443"

iptables -A PREROUTING -s ${source} -d ${dest} -p tcp --dport ${port} -j DNAT --to-destination ${redirect}

It is possible to drop given IP address using a new chain as follows:

#!/bin/bash _input = "/root/block.ip.address.list.txt" IPT = / sbin / iptables $IPT -N droplist egrep -v "^#|^$" x | while IFS = read -r ip do $IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix " myBad IP BlockList " $IPT -A droplist -i eth1 -s $ip -j DROP done < " $_input " # Drop it $IPT -I INPUT -j droplist $IPT -I OUTPUT -j droplist $IPT -I FORWARD -j droplist #!/bin/bash _input="/root/block.ip.address.list.txt" IPT=/sbin/iptables $IPT -N droplist egrep -v "^#|^$" x | while IFS= read -r ip do $IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix " myBad IP BlockList " $IPT -A droplist -i eth1 -s $ip -j DROP done < "$_input" # Drop it $IPT -I INPUT -j droplist $IPT -I OUTPUT -j droplist $IPT -I FORWARD -j droplist

How to add multiple destination in a single iptables command

The syntax is:

iptables -A INPUT -d ip1,ip2,ip3 -j ACCEPT

iptables -A INPUT -d ip1,ip2,ip3 -j DROP

iptables -I INPUT -d ip1,ip2,ip3 -s ip2 -j DROP

Some examples:

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -j ACCEPT

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -d 192.168.1.5,192.168.1.6 -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

To view added rule run:

iptables -t filter -L INPUT -n -v

Sample outputs:

Chain INPUT ( policy ACCEPT 0 packets, 0 bytes ) pkts bytes target prot opt in out source destination 5632 6156K ACCEPT all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 ctstate RELATED,ESTABLISHED 1 80 ACCEPT all -- lo * 0.0.0.0/ 0 0.0.0.0/ 0 553 128K INPUT_direct all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 553 128K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 553 128K INPUT_ZONES all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 0 0 DROP all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 ctstate INVALID 551 128K REJECT all -- * * 0.0.0.0/ 0 0.0.0.0/ 0 reject-with icmp-host-prohibited 0 0 ACCEPT tcp -- * * 192.168.1.0/ 24 192.168.1.5 tcp dpt: 22 0 0 ACCEPT tcp -- * * 192.168.1.0/ 24 192.168.1.6 tcp dpt: 22 0 0 ACCEPT tcp -- * * 0.0.0.0/ 0 192.168.1.5 tcp dpt: 22 0 0 ACCEPT tcp -- * * 0.0.0.0/ 0 192.168.1.6 tcp dpt: 22 0 0 ACCEPT all -- * * 0.0.0.0/ 0 192.168.1.5 0 0 ACCEPT all -- * * 0.0.0.0/ 0 192.168.1.6 0 0 ACCEPT tcp -- * * 192.168.1.5 192.168.1.254 tcp dpt: 443 0 0 ACCEPT tcp -- * * 192.168.2.6 192.168.1.254 tcp dpt: 443 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5632 6156K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 553 128K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 553 128K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 553 128K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 551 128K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.5 tcp dpt:22 0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.6 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.5 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.6 tcp dpt:22 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.5 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.6 0 0 ACCEPT tcp -- * * 192.168.1.5 192.168.1.254 tcp dpt:443 0 0 ACCEPT tcp -- * * 192.168.2.6 192.168.1.254 tcp dpt:443

A note about user defined chain

It is possible to create a new user-defined chain as follows:

iptables -N ALLOWED

iptables -A ALLOWED -d 127.0.0.0/8 -j RETURN

iptables -A ALLOWED -d 192.168.1.0/24 -j RETURN

iptables -A ALLOWED -d 205.54.1.5 -j RETURN

iptables -A INPUT -j ALLOWED

See iptables man page for more info:

$ man iptables