You are not logged in.

#1 2009-06-26 17:01:28

nullvoid
Member
Registered: 2009-01-18
Posts: 33

[Solved] Allowing ip ranges in iptables

Hello everyone.

I don't have much experience with iptables. After about an hour on Google and several tries on getting iptables to limit a port on my server, I am forced to ask for help from you iptables gurus smile I have set up an OpenVPN server on TCP port 8080, which I only want a certain IP range (92.122.x.x) on the internet to be able to access, anyone elses packets to the port should be dropped.

I would appreciate if someone could guide me in the right direction or just give me a command which I should type into iptables.

Regards,
David

Last edited by nullvoid (2009-06-26 19:10:06)

Offline

#2 2009-06-26 17:18:08

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: [Solved] Allowing ip ranges in iptables

I have no experience with it myself, but maybe the CIDR notation would help? Maybe something like 92.122.0.0/16?


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#3 2009-06-26 17:34:27

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: [Solved] Allowing ip ranges in iptables

Thank for the quick reply.

I have tried adding -s !92.122.0.0/16 and -s 92.122.0.0/16 without success. I have also tried --src-range and a various of other paramters, still without success. Probably I'm just missusing them.

Here's a few of my attempts which have failed:

iptables -A INPUT -i eth0 -p tcp -m tcp -s '!92.122.0.0/16' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --src-range '!92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange ! --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '! 92.122.0.0-92.122.255.255' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -m iprange -s '!92.122.0.0/16' --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' -i eth0 --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' --dport 8080 -j DROP

Either iptables gives me an error or it simply doesn't work the way I want.

Last edited by nullvoid (2009-06-26 17:35:07)

Offline

#4 2009-06-26 18:20:16

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: [Solved] Allowing ip ranges in iptables

It was a wild guess... Seemed logical to be, but not to iptables it seems tongue.

I don't know what you are using all the quotes for though... Did you try this, in the manner they described it (so without quotes):

http://www.cyberciti.biz/tips/linux-ipt … ports.html

Also - why not make the task simpler: instead of denying access for all IPs not in the specified range, just allow access for the ones in the range and set your policy to drop by default (which is never a bad thing, if you configure iptables correctly).


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#5 2009-06-26 19:09:52

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: [Solved] Allowing ip ranges in iptables

I got help from a friend, here's the correct syntax I was looking for:

iptables -A INPUT -s 92.122.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j DROP

Offline

#6 2009-07-13 22:26:25

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: [Solved] Allowing ip ranges in iptables

this document could spare time for many of you :: http://wiki.archlinux.org/index.php/Sim … wall_HOWTO


If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#7 2009-07-13 22:50:39

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] Allowing ip ranges in iptables

If the range of addresses you want to match doesn't fall within valid CIDR notation, yuo can use the iprange module too:

iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.0.10 -p tcp --dport 8080 -j ACCEPT

FYI, the use of '-m tcp' is synonymous with '-p tcp' and therefore redundant to specify both.

Offline

Board footer

Powered by FluxBB